You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/07/18 14:50:46 UTC
DO NOT REPLY [Bug 42929] New: - Apache display wrong port and wrong protocol when using HTTPS VirtualHosts
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42929>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42929
Summary: Apache display wrong port and wrong protocol when using
HTTPS VirtualHosts
Product: Apache httpd-2
Version: 2.2.3
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: software@macfreek.nl
Summary:
With a certain configuration of Virtual hosts with SSL Engine enabled, Apache
beliefs the client is connecting to server port 80 with protocol HTTP, while in
reality the client is connected to server port 443 with protocol HTTPS
Steps to reproduce:
1. Install apache with mod_ssl and mod_info.
2. Create a SSL certificate. If you do it properly, create one with two
hostnames (using the altSubjectName x509 parameter); however, if you don't mind
clicking "yeah, I trust it, even though the hostname does not match" a couple of
times, you can just use any self-signed certificate.
2. Configure httpd.conf as displayed in the attachment, httpd.error.conf:
two name-based virtual hosts, listening on port 443. The first with SSL
parameters, the second without SSL parameters.
3. For debugging, add SetHandler server-info.
4. Visit the URL with the servername in the second virtual hosts. E.g.
http://www2.example.org/server-info if you use the names in httpd.error.conf
5. Read what is says underneath "Server Settings" > "Hostname/port"
Expected result:
I expected it to read "www2.example.org:443"
Or I expected a critical error during start time of Apache because the
configuration file is arguably inconsistent (see below)
Actual result:
It reads "www2.example.org:80"
Notes:
* With this configuration, Apache is not even listening to port 80!
* If you would include mod_php, and add a script saying phpinfo();, you will see
that the HTTPS parameter is not set. I expected it to be "on"
* This "identity crisis" (wrong port, wrong protocol) results that a COPY
request for webdav results in a 502 Bad Gateway error.
* Note that virtual hosts with SSL is possible, as long as the same certificate
is used for both vhosts (as in this case, using subjectAltName)
Regression:
There is an easy work-around. The "correct" configuration is listed in the
attachment "httpd.good.conf". In here, both VirtualHosts do have "SSLEngine on",
and the other SSL parameters are shared among all vhosts instances (in
httpd.bad.conf, only the first vhost had SSL parameters, the second had none).
I fully understand that mod_ssl does not have knownledge of virtual hosts at the
time the SSL handshake is made. Presumably, it decides to use SSL or not based
on the first vhost for a certain IP:port combination. That is fine, and I think
perhaps desirable behaviour. What is undesirable that if port 443 and HTTPS is
used in reality, Apache thinks that port 80 and HTTP is used. That should always
be consistent.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42929] - Apache display wrong port and wrong protocol when using HTTPS VirtualHosts
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42929>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42929
------- Additional Comments From software@macfreek.nl 2007-07-18 05:52 -------
Created an attachment (id=20526)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=20526&action=view)
httpd.conf which leads to the described bug
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42929] - Apache display wrong port and wrong protocol when using HTTPS VirtualHosts
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42929>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42929
------- Additional Comments From software@macfreek.nl 2007-08-03 07:50 -------
(In reply to comment #5)
> At present, any usage of SSL and named-based vhosts is not recommended and
behavior
> is undocumented and not expected to be stable or consistant.
So it's a WONTFIX? I'm a bit confused by the "RESOLVED" and "INVALID" status. I
don't really understand what is resolved. Does this mean that the inconsistent
and instable behaviour is intended.
In particular, would it be useful to spend time for making a patch, or would
that automatically be rejected because the current behaviour is intended?
I fully understand that probably the best idea for
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42929] - Apache display wrong port and wrong protocol when using HTTPS VirtualHosts
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42929>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42929
------- Additional Comments From software@macfreek.nl 2007-07-18 06:02 -------
In case you don't remember how to create a certificate (step 2 in the "steps to
reproduce"), here is the quick way:
2a. Store the 3rd attachment as ~/servercert.conf
2b. openssl req -new -x509 -nodes -config ~/servercert.conf \
-out /usr/local/apache2/conf/ssl/servercert.pem \
-keyout /usr/local/apache2/conf/ssl/serverkey.pem
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42929] - Apache display wrong port and wrong protocol when using HTTPS VirtualHosts
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42929>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42929
------- Additional Comments From software@macfreek.nl 2007-07-18 06:01 -------
Created an attachment (id=20528)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=20528&action=view)
Quick how-to to make certificate with subjectAltNames
In case you don't remember how to create a certificate (step 2 in the "steps to
reproduce"), here is the quick way:
2a. Store attachment as ~/servercert.conf
2b. openssl req -new -x509 -nodes -config ~/servercert.conf \
-out /usr/local/apache2/conf/ssl/servercert.pem \
-keyout /usr/local/apache2/conf/ssl/serverkey.pem
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42929] - Apache display wrong port and wrong protocol when using HTTPS VirtualHosts
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42929>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42929
jim@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From jim@apache.org 2007-08-03 07:30 -------
At present, any usage of SSL and named-based vhosts is not recommended and behavior is
undocumented and not expected to be stable or consistant.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 42929] - Apache display wrong port and wrong protocol when using HTTPS VirtualHosts
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42929>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42929
------- Additional Comments From software@macfreek.nl 2007-07-18 05:53 -------
Created an attachment (id=20527)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=20527&action=view)
httpd.conf similar to the affected httpd.conf, but which works as intended
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org