You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Florent Georges <da...@yahoo.fr> on 2009/11/21 17:54:38 UTC
[users@httpd] Name virtual hosts and HTTPS
Hi,
I have one server one which I run two virtual hosts, say site1
and site2. They run very well for HTTP stuff for months. Site1
has also HTTPS access configured. I am trying to add HTTPS
support for site2 as well. So I created a new SSL certificate,
and added a new file in sites-available/:
> cat /etc/apache2/sites-available/site1-https
NameVirtualHost *:443
<VirtualHost *:443>
Servername www.site1.com
SSLEngine on
SSLCertificateFile site.crt
SSLCertificateKeyFile site1.key
DocumentRoot /var/site1/htsdocs/
</VirtualHost>
> cat /etc/apache2/sites-available/site2-https
NameVirtualHost *:443
<VirtualHost *:443>
Servername www.site2.com
SSLEngine on
SSLCertificateFile site2.crt
SSLCertificateKeyFile site2.key
DocumentRoot /var/site2/htsdocs/
</VirtualHost>
and enabled the second HTTPS web site with a2ensite.
The problem is when I try to access site1 over HTTPS, it
provides me the certificate for site2...
I double-checked the documentation with my very low Apache
skills, but did not found anything about that problem. Did I
miss something?
Regards,
--
Florent Georges
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Name virtual hosts and HTTPS
Posted by Iñigo Medina <im...@grosshat.com>.
> Only the latest Apache (2.2.14) and OpenSSL built with the
> tlsextensions options support this.
What about apache with mod_gnutls? Look at this tooltip from 2007:
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
> Also, not every client support SNI, unfortunately.
Yep, that's true. Look at what wikipedia says about that:
http://en.wikipedia.org/wiki/Server_Name_Indication#Browsers
iñ
Re: [users@httpd] Name virtual hosts and HTTPS
Posted by Brian Mearns <me...@gmail.com>.
On Sun, Nov 22, 2009 at 1:22 PM, Florent Georges <da...@yahoo.fr> wrote:
> Peter Schober wrote:
>
> Thanks all for your responses!
>
>> Or put all vhosts in the certificate (as X.509v3 SubjectAltName
>> extensions) and serve up the same cert on every vhost.
>
> Yes, that's what I started to think after have seen the other responses.
>
>> How you put these in the CSR is not part of this list and
>> depends on your CA (some require to put all hostnames in the CN,
>> i.e. multi-valued CNs, others require to stick these in the
>> v3 extension.)
>
> Well, I must admit I am not familiar with this vocabulary: CSR, CA, CN?
>
> Thanks again,
>
> --
> Florent Georges
[snip]
CSR - Certificate Signing Request, the thing you send to a certificate
authority to request a certificate from them.
CA - The certificate authority who signs your certificate.
CN - Common Name, the thing that identifies the entity to whom the
cert belongs. For web sites, this is the exact domain name of your
website, other wise the client will complain.
Thanks to all for the follow up to my response, I had no idea there
were so many ways to do this. I just spent a few hours a couple of day
ago upgrading to 2.2.14 so I could do exactly this.
-Brian
--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Name virtual hosts and HTTPS
Posted by Florent Georges <da...@yahoo.fr>.
Peter Schober wrote:
Thanks all for your responses!
> Or put all vhosts in the certificate (as X.509v3 SubjectAltName
> extensions) and serve up the same cert on every vhost.
Yes, that's what I started to think after have seen the other responses.
> How you put these in the CSR is not part of this list and
> depends on your CA (some require to put all hostnames in the CN,
> i.e. multi-valued CNs, others require to stick these in the
> v3 extension.)
Well, I must admit I am not familiar with this vocabulary: CSR, CA, CN?
Thanks again,
--
Florent Georges
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Name virtual hosts and HTTPS
Posted by Peter Schober <pe...@univie.ac.at>.
* Brian Mearns <me...@gmail.com> [2009-11-21 18:02]:
> Only the latest Apache (2.2.14) and OpenSSL built with the
> tlsextensions options support this. It's case SNI (Server Name
> Identification), where the client can send the fully qualified domain
> name as part of the handshake process. Without this, the server has no
> way knowing which vhost the client is looking for until the
> certificate has already been presented (because the Host: HTTP request
> header is part of the encrypted payload, which can't be sent until the
> client has the cert), so it can't choose SSL options (including the
> cert file) based on host name.
Or put all vhosts in the certificate (as X.509v3 SubjectAltName
extensions) and serve up the same cert on every vhost.
How you put these in the CSR is not part of this list and depends on
your CA (some require to put all hostnames in the CN,
i.e. multi-valued CNs, others require to stick these in the v3
extension.)
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Name virtual hosts and HTTPS
Posted by Brian Mearns <me...@gmail.com>.
On Sat, Nov 21, 2009 at 11:54 AM, Florent Georges <da...@yahoo.fr> wrote:
> Hi,
>
> I have one server one which I run two virtual hosts, say site1
> and site2. They run very well for HTTP stuff for months. Site1
> has also HTTPS access configured. I am trying to add HTTPS
> support for site2 as well. So I created a new SSL certificate,
> and added a new file in sites-available/:
>
> > cat /etc/apache2/sites-available/site1-https
> NameVirtualHost *:443
> <VirtualHost *:443>
> Servername www.site1.com
> SSLEngine on
> SSLCertificateFile site.crt
> SSLCertificateKeyFile site1.key
> DocumentRoot /var/site1/htsdocs/
> </VirtualHost>
>
> > cat /etc/apache2/sites-available/site2-https
> NameVirtualHost *:443
> <VirtualHost *:443>
> Servername www.site2.com
> SSLEngine on
> SSLCertificateFile site2.crt
> SSLCertificateKeyFile site2.key
> DocumentRoot /var/site2/htsdocs/
> </VirtualHost>
>
> and enabled the second HTTPS web site with a2ensite.
>
> The problem is when I try to access site1 over HTTPS, it
> provides me the certificate for site2...
>
> I double-checked the documentation with my very low Apache
> skills, but did not found anything about that problem. Did I
> miss something?
>
> Regards,
>
> --
> Florent Georges
>
[snip]
Only the latest Apache (2.2.14) and OpenSSL built with the
tlsextensions options support this. It's case SNI (Server Name
Identification), where the client can send the fully qualified domain
name as part of the handshake process. Without this, the server has no
way knowing which vhost the client is looking for until the
certificate has already been presented (because the Host: HTTP request
header is part of the encrypted payload, which can't be sent until the
client has the cert), so it can't choose SSL options (including the
cert file) based on host name.
Also, not every client support SNI, unfortunately. I think most modern
browsers do, but notably MSIE before 7 or any version running on an OS
earlier than Vista do not (if I'm remembering correctly). Those
clients will always see the same cert no matter what name based vhost
they go to. It's a bummer, but a well known limitation of SSL.
-Brian
--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org