You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dan Poirier <po...@pobox.com> on 2009/10/27 20:20:31 UTC
[users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate being served
Eric Covener <co...@gmail.com> writes:
> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
> <kr...@gmail.com> wrote:
>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>
>>> This doc is out of date due to SNI!
>>
>> The OP's version clearly doesn't yet support SNI obviously. I don't
>> think it is allready an official feature in the 2.2 tree.
>
> I couldn't tell for sure if OP was just the old default vhost FAQ --
> but SNI is present in 2.2.12 and later, if you're built against a
> sufficient level of openssl.
I just updated the FAQ. I'm not sure how long it'll take for the web
site to update.
--
Dan Poirier <po...@pobox.com>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Eric Covener <co...@gmail.com>.
> Can someone maybe, just a little bit, say something about what SNI might be,
> and/or point to some Apache doc related to it ?
> I feel (again) like some acronym passed me by.
> And yes, I'll go check that FAQ, but as of right now in Western Europe, it
> does not talk of SNI yet.
When a client issues a HTTP/1.1 requests, they supply the desired
Hostname in the Host: header. Apache uses this to determine which
name-based vhost to use.
When a client does HTTP over SSL, and both sides don't do SNI, Apache
has to perform the full handshake using parameters available before
the HTTP Host header is available -- currently just the IP and Port
the connection is being handled on. Apache can pick the cert and
cipher settings from the right IP-based vhost, but can't think about
ServerName/ServerAlias.
When a client does HTTP over SSL and both sides use SNI, the clients
initial TLS handshake includes a string that indicates the requested
servers hostname (Server Name Indication). A webserver and a security
library that understand this special extension can use it to select a
certificate/ciphers based on this very early information.
So net it's like the HTTP/1.1 Host: header but its stuffed into an
early handshake message, so the server can select handshake parameters
from name-based vhosts.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Joseph S <jk...@selectacast.net>.
André Warnier wrote:
>
> Can someone maybe, just a little bit, say something about what SNI
> might be, and/or point to some Apache doc related to it ?
> I feel (again) like some acronym passed me by.
> And yes, I'll go check that FAQ, but as of right now in Western
> Europe, it does not talk of SNI yet.
>
>
In the release notes for apache 2.2.12:
*) mod_ssl: Add server name indication support (RFC 4366) and better
support for name based virtual hosts with SSL. PR 34607
[Peter Sylvester <peter.sylvester edelweb.fr>,
Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
Ruediger Pluem]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate being served
Posted by Jens Schleusener <Je...@t-systems-sfr.com>.
On Tue, 27 Oct 2009, Emmanuel Bailleul wrote:
>> Dan Poirier wrote:
>>> Eric Covener <co...@gmail.com> writes:
>>>
>>>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>>>> <kr...@gmail.com> wrote:
>>>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>>>> This doc is out of date due to SNI!
>>>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>>>> think it is allready an official feature in the 2.2 tree.
>>>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>>>> but SNI is present in 2.2.12 and later, if you're built against a
>>>> sufficient level of openssl.
>>>
>>> I just updated the FAQ. I'm not sure how long it'll take for the web
>>> site to update.
>>>
>>
>> Can someone maybe, just a little bit, say something about what SNI might
>> be, and/or point to some Apache doc related to it ?
>> I feel (again) like some acronym passed me by.
>> And yes, I'll go check that FAQ, but as of right now in Western Europe,
>> It does not talk of SNI yet.
>
> Hi,
>
> It's been in the Wiki for a while :
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
And a nice test site that may also help to increase SNI understandig:
https://sni.velox.ch/
Jens
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
>Emmanuel Bailleul wrote:
>
>> Hi,
>>
>> It's been in the Wiki for a while :
>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>>
>Thanks Eric and Emmanuel.
>I do remember now coming across the Wiki, and noticing this line, about
>browsers supporting SNI :
>
>Internet Explorer 7.0 or later (on Vista, not XP)
>
>Which was the one line to make me read the rest only in diagonals,
>because 99% of my corporate customers still use XP and not Vista (and
>probably never will use Vista).
>So, is the above item in the Wiki still actual, to anyone's knowledge ?
>
>If yes, then I'll just remember that for now Apache is ready to support
>it, but I can't use it yet because of my customers' browsers.
I recently did some tests on XP (pro) with IE7 & IE8 and came to the same conclusions.
BTW https://sni.velox.ch/ is a good place to learn & perform online checks about SNI support.
Regards.
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by André Warnier <aw...@ice-sa.com>.
Emmanuel Bailleul wrote:
> Hi,
>
> It's been in the Wiki for a while :
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>
Thanks Eric and Emmanuel.
I do remember now coming across the Wiki, and noticing this line, about
browsers supporting SNI :
Internet Explorer 7.0 or later (on Vista, not XP)
which was the one line to make me read the rest only in diagonals,
because 99% of my corporate customers still use XP and not Vista (and
probably never will use Vista).
So, is the above item in the Wiki still actual, to anyone's knowledge ?
If yes, then I'll just remember that for now Apache is ready to support
it, but I can't use it yet because of my customers' browsers.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
>Dan Poirier wrote:
>> Eric Covener <co...@gmail.com> writes:
>>
>>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>>> <kr...@gmail.com> wrote:
>>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>>> This doc is out of date due to SNI!
>>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>>> think it is allready an official feature in the 2.2 tree.
>>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>>> but SNI is present in 2.2.12 and later, if you're built against a
>>> sufficient level of openssl.
>>
>> I just updated the FAQ. I'm not sure how long it'll take for the web
>> site to update.
>>
>
>Can someone maybe, just a little bit, say something about what SNI might
>be, and/or point to some Apache doc related to it ?
>I feel (again) like some acronym passed me by.
>And yes, I'll go check that FAQ, but as of right now in Western Europe,
>It does not talk of SNI yet.
Hi,
It's been in the Wiki for a while :
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by André Warnier <aw...@ice-sa.com>.
Dan Poirier wrote:
> Eric Covener <co...@gmail.com> writes:
>
>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>> <kr...@gmail.com> wrote:
>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>> This doc is out of date due to SNI!
>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>> think it is allready an official feature in the 2.2 tree.
>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>> but SNI is present in 2.2.12 and later, if you're built against a
>> sufficient level of openssl.
>
> I just updated the FAQ. I'm not sure how long it'll take for the web
> site to update.
>
Can someone maybe, just a little bit, say something about what SNI might
be, and/or point to some Apache doc related to it ?
I feel (again) like some acronym passed me by.
And yes, I'll go check that FAQ, but as of right now in Western Europe,
it does not talk of SNI yet.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org