You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jorgen Lundman <lu...@lundman.net> on 2008/01/29 04:44:57 UTC
Re: [users@httpd] TLS SNI with user certificates.
As a quick hack, I setup the normal vhost to have a certificate 1 (it
has to have one defined to even start after all) then patch
set_ssl_vhost() to load a different "ctx" certificate 2. I would leak
context like crazy, but as a quick proof-of-concept it would tell me if
it is feasible.
strcasecmp(servername, "www.example.com")) {
SSL_CTX *ctx;
int status;
found = TRUE;
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "example patch:
loading");
ctx = SSL_CTX_new(SSLv23_method());
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "new ctx %p", ctx);
status = SSL_CTX_use_certificate_file(ctx,
"/etc/certs/www.example.com.pem",
X509_FILETYPE_PEM);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "loaded pem file %d",
status);
if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
return 0;
if (!(sc = mySrvConfig(s)))
return 0;
sc->server->ssl_ctx = ctx;
SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx);
SSL_CTX_set_app_data(ctx, s);
return 1;
}
The last few lines, I have tried a few combinations in my attempt to
make it work. I get the following output however:
[Tue Jan 29 12:23:38 2008] [error] Called set_ssl_vhost with
'www.example.jp'
[Tue Jan 29 12:23:38 2008] [error] example patch: loading
[Tue Jan 29 12:23:38 2008] [error] new ctx
[Tue Jan 29 12:23:38 2008] [error] loaded pem file 1
[Tue Jan 29 12:23:38 2008] [error] Re-negotiation handshake failed: Not
accepted by client!?
And Seamonkey says: "the site uses a security protocol that isn't enabled".
Am I trying to patch it in too late in the game?, has it already sent
part of the vhost certificate1 before the example.com certificate2?
If I create a vhost with example.com, and example.com.pem certificate2,
as well as the default vhost, both certificates work and loads
correctly. It is my hack that breaks things, I am not sure how much of
apache's framework I need to conform to.
Jorgen Lundman wrote:
>
> What is the state with TLS/SNI at the moment? We are exploring offering
> SSL certificates to users, and in a perfect world we would like to keep
> our httpd.conf free of provisioning.
>
> Apache 2.2.0
> OpenSSL-0.9.8e
>
> At the moment, all users' vhosts are defined as:
>
> <VirtualHost *:80>
> VirtualDocumentRoot "/export/nfs/www/%-1/%-2.-1/%-2.-2/%-2+/"
>
> So a request for http://www.example.com/$path would translate as
> /export/nfs/www/com/e/l/www.example/$path
>
> If that directory exists it is served.
>
> What would be ideal is if a user had a certificate as:
>
> /export/nfs/www/com/e/l/www.example/.certificate
>
> Then SSL TLS/SNI would use it and "everything would just work".
> (Minus Safari, and Konquerer from our current tests)
>
>
>
> Possible right now ? Possible if I add a little code?
>
> Lundy
>
>
--
Jorgen Lundman | <lu...@lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] TLS SNI with user certificates.
Posted by Vincent Bray <no...@gmail.com>.
Hi,
I'd suggest taking this to the dev@httpd.apache.org mailing list. Tell
them I sent you if they complain ;-)
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org