You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Norman Khine <no...@khine.net> on 2008/02/17 14:37:14 UTC
[users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Hello,
I have some virtual hosts and would like to run SSL with different
certificates on each. Having followed the following how-to,
http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL and
rebuilding apache with SNI support, I am having some issues in that
domain2.com only returns the server.crt and not the one specified in my
rule.
Here are the relevant conf files and setup:
.
|-- httpd.conf
|-- magic
|-- modules.d
| |-- 00_apache_manual.conf
| |-- 00_default_settings.conf
| |-- 00_error_documents.conf
| |-- 00_languages.conf
| |-- 00_mod_autoindex.conf
| |-- 00_mod_info.conf
| |-- 00_mod_log_config.conf
| |-- 00_mod_mime.conf
| |-- 00_mod_status.conf
| |-- 00_mod_userdir.conf
| |-- 00_mpm.conf
| |-- 10_mod_mem_cache.conf
| |-- 12_mod_auth_mysql.conf
| |-- 27_mod_proxy_html.conf
| |-- 40_mod_ssl.conf
| |-- 45_mod_dav.conf
| |-- 46_mod_ldap.conf
| |-- 47_mod_dav_svn.conf
| |-- 70_mod_php5.conf
| |-- 75_mod_perl.conf
| |-- 80_mod_auth_pgsql.conf
| |-- 99_mod_security.conf
| |-- mod_security
| `-- postinst-en.txt
|-- ssl
| |-- domain_one.csr
| |-- domain_one.key
| |-- domain_one.crt
| |-- server.crt
| |-- server.key
| |-- domain_two.csr
| |-- domain_two.key
| `-- domain_two.crt
`-- vhosts.d
|-- 00_default_ssl_vhost.conf
|-- 00_default_vhost.conf
|-- domain_one.conf
`-- domain_two.conf
#######
#domain_one.conf
<VirtualHost *:80>
ServerName domain_one.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/(.*)
http://domain_one.com:7080/VirtualHostBase/http/domain_one.com:80/sites/site1/VirtualHostRoot/$1
[L,P]
</IfModule>
ErrorLog /var/log/apache2/domain_one_error.log
<IfModule mod_log_config.c>
CustomLog /var/log/apache2/domain_one_access.log combined
</IfModule>
RewriteLog /var/log/apache2/domain_one_rewrite_log
</VirtualHost>
<IfDefine SSL>
<IfDefine SSL_DEFAULT_VHOST>
<IfModule ssl_module>
<VirtualHost *:443>
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/domain_one.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain_one.key
ServerName domain_one.com
SSLOptions StrictRequire
SSLProtocol all -SSLv2
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/(.*)
http://domain_one.com:7080/VirtualHostBase/https/domain_one.com:443/sites/site1/VirtualHostRoot/$1
[L,P]
</IfModule>
<IfModule mod_log_config.c>
TransferLog /var/log/apache2/domain_one_ssl_access_log
</IfModule>
<IfModule mod_setenvif.c>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive
ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</IfModule>
<IfModule mod_log_config.c>
CustomLog /var/log/apache2/domain_one_ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</IfModule>
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
#######
#domain_two.conf
is the same as domain_one, with the only difference being the entries
for the RewriteRule
RewriteRule ^/(.*)
http://domain_two.com:7080/VirtualHostBase/https/domain_two.com:443/sites/site2/VirtualHostRoot/$1
[L,P]
and the
SSLCertificateFile /etc/apache2/ssl/domain_two.crt
SSLCertificateKeyFile /etc/apache2/ssl/domain_two.key
also the logs etc..
Now my issue is that everything seems to work OK for domain_one.com but
everytime I try to access domain_two.com I get the certificate for the
machine, that is server.ctr and not domain_two.ctr.
This is not the case in domain_one.com, where the correct certificate is
displayed.
Even if I put the certificate for domain_one, I get the server.crt
certificate showing.
Any ideas on how to solve this problem? And how to test SNI is working?
I have apache 2.2.8
Many thanks
Norman
%>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26)
for c in ",adym,*)&uzq^zqf" ] )
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by Norman Khine <no...@khine.net>.
I am testing this on FF 2.0.0.12 and Safari 3.0.3, I don't have access
to IE7
ON FF I get the right certificate for domain_one, but on the second site
I only get the test certificate of the server.
Is there a way to test SNI that is working correctly.
Thank you
Norman
solprovider@apache.org wrote:
> What browser are you testing? The server may be working fine, but few
> browsers are SNI-capable. From the page you linked:
>
> Supported Browsers
> SNI has only recently gained support in browsers. The browsers that
> have been confirmed to support SNI by this author are:
> * Firefox 2.0.0.12
> * Internet Explorer 7.0.5730.11
>
> solprovider
>
> On 2/17/08, Norman Khine <no...@khine.net> wrote:
>> Hello,
>> I have some virtual hosts and would like to run SSL with different
>> certificates on each. Having followed the following how-to,
>> http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL and
>> rebuilding apache with SNI support, I am having some issues in that
>> domain2.com only returns the server.crt and not the one specified in my
>> rule.
>> Even if I put the certificate for domain_one, I get the server.crt
>> certificate showing.
>> Any ideas on how to solve this problem? And how to test SNI is working?
>> Norman
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
%>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26)
for c in ",adym,*)&uzq^zqf" ] )
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by so...@apache.org.
What browser are you testing? The server may be working fine, but few
browsers are SNI-capable. From the page you linked:
Supported Browsers
SNI has only recently gained support in browsers. The browsers that
have been confirmed to support SNI by this author are:
* Firefox 2.0.0.12
* Internet Explorer 7.0.5730.11
solprovider
On 2/17/08, Norman Khine <no...@khine.net> wrote:
> Hello,
> I have some virtual hosts and would like to run SSL with different
> certificates on each. Having followed the following how-to,
> http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL and
> rebuilding apache with SNI support, I am having some issues in that
> domain2.com only returns the server.crt and not the one specified in my
> rule.
> Even if I put the certificate for domain_one, I get the server.crt
> certificate showing.
> Any ideas on how to solve this problem? And how to test SNI is working?
> Norman
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by Krist van Besien <kr...@gmail.com>.
On Feb 17, 2008 2:37 PM, Norman Khine <no...@khine.net> wrote:
> Now my issue is that everything seems to work OK for domain_one.com but
> everytime I try to access domain_two.com I get the certificate for the
> machine, that is server.ctr and not domain_two.ctr.
>
> This is not the case in domain_one.com, where the correct certificate is
> displayed.
>
> Even if I put the certificate for domain_one, I get the server.crt
> certificate showing.
I would guess that there might be something in your default ssl vhost
config that makes it handle requests to domain_two. Or there is an
error in domain_two.conf that makes that virtual host unavailable.
What is the output of httpd -S ?
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by Norman Khine <no...@khine.net>.
Eric Covener wrote:
> On Feb 17, 2008 8:37 AM, Norman Khine <no...@khine.net> wrote:
>> Hello,
>> I have some virtual hosts and would like to run SSL with different
>> certificates on each. Having followed the following how-to,
>> http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL and
>> rebuilding apache with SNI support, I am having some issues in that
>> domain2.com only returns the server.crt and not the one specified in my
>> rule.
>
> Your subject says 2.2.8; It doens't look like 2.2.8 has SNI support.
>
Isn't SNI a new feature and 2.2.8 is the latest apache release. I am
confused.
Perhaps my issues are to do with the fact that I am doing a Rewrite as
when I check the header that is sent to the client I get the Zope server
details and not apache.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by Norman Khine <no...@khine.net>.
OK, by first site I am presuming they get the first site's certificate,
in this case the server.crt This is what is happening now! I have a
virtual host entry __default with a certificate entry to server.crt
What I can't see is how/where I put this message, without taking the
user from one site to another.
Thanks
Norman
Krist van Besien wrote:
> On Feb 18, 2008 11:25 AM, Norman Khine <no...@khine.net> wrote:
>
>> For now, the next step is to figure out how to generate the message if
>> the client does not support SNI.
>
> That's easy. If the client does not support SNI, it gets the first
> site. So the first site is where you put the information. You will
> need one vhost for clients not supporting SNI, and then one vhost for
> each of your domains for clients that do support SNI, and you need to
> configure things so that the first SSL vhost is also the "default"
> one.
>
> Krist
>
%>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26)
for c in ",adym,*)&uzq^zqf" ] )
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by Krist van Besien <kr...@gmail.com>.
On Feb 18, 2008 11:25 AM, Norman Khine <no...@khine.net> wrote:
> For now, the next step is to figure out how to generate the message if
> the client does not support SNI.
That's easy. If the client does not support SNI, it gets the first
site. So the first site is where you put the information. You will
need one vhost for clients not supporting SNI, and then one vhost for
each of your domains for clients that do support SNI, and you need to
configure things so that the first SSL vhost is also the "default"
one.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by Norman Khine <no...@khine.net>.
Hello,
OK, I have this working on FF. But I would like to now add an entry in
the conf file for users who's browsers do not support SNI and was
wondering how to generate this message?
As per how-to "..If a user's browser does not support SNI then the first
SSL site in the configuration file will be displayed. It is recommended
that the first entry is to a page that informs the user what the server
requires for use."
On Safari, I get the root certificate of the server and a warning that
this was signed by an untrusted authority.
Similarly on Mozilla 1.7.12 and Netscape.
As my application is running on Zope and I have a rewrite rule what will
be the best way to do this? The zope https server is on 7433 and I only
have one zope instance.
So I guess I will have the same problem.
For now, the next step is to figure out how to generate the message if
the client does not support SNI.
Any thoughts on this.
Many thanks
Norman
Eric Covener wrote:
> On Feb 17, 2008 8:37 AM, Norman Khine <no...@khine.net> wrote:
>> Hello,
>> I have some virtual hosts and would like to run SSL with different
>> certificates on each. Having followed the following how-to,
>> http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL and
>> rebuilding apache with SNI support, I am having some issues in that
>> domain2.com only returns the server.crt and not the one specified in my
>> rule.
>
> Your subject says 2.2.8; It doens't look like 2.2.8 has SNI support.
>
%>>> "".join( [ {'*':'@','^':'.'}.get(c,None) or chr(97+(ord(c)-83)%26)
for c in ",adym,*)&uzq^zqf" ] )
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.2.8, SNI, SSL and Virtual Hosts
Posted by Eric Covener <co...@gmail.com>.
On Feb 17, 2008 8:37 AM, Norman Khine <no...@khine.net> wrote:
> Hello,
> I have some virtual hosts and would like to run SSL with different
> certificates on each. Having followed the following how-to,
> http://gentoo-wiki.com/HOWTO_Apache_with_Name_Based_Hosting_and_SSL and
> rebuilding apache with SNI support, I am having some issues in that
> domain2.com only returns the server.crt and not the one specified in my
> rule.
Your subject says 2.2.8; It doens't look like 2.2.8 has SNI support.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org