You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2008/08/05 23:35:23 UTC
DO NOT REPLY [Bug 45568] New: Apache shouldn't complain about
name-based SSL virtual hosts
https://issues.apache.org/bugzilla/show_bug.cgi?id=45568
Summary: Apache shouldn't complain about name-based SSL virtual
hosts
Product: Apache httpd-2
Version: 2.2.9
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P3
Component: All
AssignedTo: bugs@httpd.apache.org
ReportedBy: mdierolf@financialcontent.com
I would like to point out that name-base virtual hosts are legitimate,
acceptable, and widely used by people whom purchase a wildcard SSL certificate.
Apache should not complain about name-based hosts under the same domain name.
These error messages appear when using name-based SSL hosts:
--
[Tue Aug 05 21:23:42 2008] [warn] Init: SSL server IP/port conflict:
subdomain1.domain.com:443 (/etc/apache2/httpd.conf:179) vs.
subdomain2.domain.com:443 (/etc/apache2/httpd.conf:375)
[Tue Aug 05 21:23:42 2008] [warn] Init: SSL server IP/port conflict:
subdomain1.domain.com:443 (/etc/apache2/httpd.conf:99) vs.
subdomain2.domain.com:443 (/etc/apache2/httpd.conf:375)
[Tue Aug 05 21:23:42 2008] [warn] Init: You should not use name-based virtual
hosts in conjunction with SSL!!
--
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45568] Test ServerName Against X509 CN before
rejecting configuration with a warning
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45568
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #2 from Ruediger Pluem <rp...@apache.org> 2008-08-06 02:17:31 PST ---
(In reply to comment #0)
> I would like to point out that name-base virtual hosts are legitimate,
> acceptable, and widely used by people whom purchase a wildcard SSL certificate.
>
No they are not. Most people using them do not know what they do and are not
aware that security sensitive SSL settings are only taken from the default
virtual host.
Therefore it is still strongly discouraged to use name based virtual hosts for
SSL.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45568] Test ServerName Against X509 CN before
rejecting configuration with a warning
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45568
Will Rowe <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
OS/Version|Linux |All
Platform|PC |All
Summary|Apache shouldn't complain |Test ServerName Against X509
|about name-based SSL virtual|CN before rejecting
|hosts |configuration with a warning
--- Comment #1 from Will Rowe <wr...@apache.org> 2008-08-05 14:54:41 PST ---
The number of users using such certificates is a tiny fraction of the number
of users who misconfigure Apache.
So the appropriate bug report would be; "Test ServerName Against X509 CN before
rejecting configuration with a warning".
So I've updated your bug subject accordingly.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45568] Test ServerName Against X509 CN before
rejecting configuration with a warning
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45568
Will Rowe <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #3 from Will Rowe <wr...@apache.org> 2008-08-06 08:24:04 PST ---
Ruediger, you describe a majority of users. Certainly, they are discouraged
in the sense that users don't understand the principal. But it is not
forbidden,
these error messages in a good configuration are invalid.
However, there are exceptions to that rule, so invalidating this enhancement
request isn't appropriate.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 45568] Test ServerName Against X509 CN before
rejecting configuration with a warning
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45568
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID
--- Comment #4 from Joe Orton <jo...@redhat.com> 2008-08-07 05:13:55 PST ---
Of course the configuration is not "forbidden", these are WARNING messages.
The warning applies in a configuration using name-based SSL vhosts which share
a common wildcard cert just as they do in any other name-based SSL vhost
config. Unless you plan to propose a way to validate whether such a config
will work properly (sounds insane), there is nothing new here.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org