You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Frédéric Jolliton <ht...@frederic.jolliton.com> on 2006/03/16 10:11:37 UTC
[users@httpd] Are multiple ok with wildcard cert ?
Hi,
[I already sent this message to modssl ML, but since it's about
Apache 2 I'm not sure if this place was more appropriate.]
(Apache 2.0.55, Linux 2.6)
I can't find authoritative answer about the following question.
I would like to be sure that I can have multiple VirtualHost
configured simultaneously for HTTP and HTTPS (port 80 and port 443
respectively) as presented below.
If I've a certificate with 'cn' to '*.example.com' and the following
Apache configuration, is that ok ? Currently it works fine, but I'm
not sure if I'm relying on some unspecified/undefined behaviors.
Also, is this dummy VirtualHost (the first one) the correct way to
"force" a given port to answer HTTP instead of HTTPS ? (I know that
it's the other way, where the "first" virtual host with enabled SSL
determine port with HTTPS.)
Again, there is no problems with this config, but I was just wondering
about its validity.
-=-=-
Listen 80
Listen 443
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
# Dummy empty VirtualHost to ensure than port 80 is HTTP
</VirtualHost>
<VirtualHost *:80 *:443>
Include common-ssl.conf
ServerName foo.example.com
[..]
</VirtualHost>
<VirtualHost *:80 *:443>
Include common-ssl.conf
ServerName bar.example.com
[..]
</VirtualHost>
-=-=-
and common-ssl.conf contains:
-=-=-
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile conf/ssl/web.example.com-cert.pem
SSLCertificateKeyFile conf/ssl/web.example.com-key.pem
SSLCertificateChainFile conf/ssl/root-cert.pem
[.. other SSL options ..]
</IfModule>
-=-=-
--
Frédéric Jolliton
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Are multiple ok with wildcard cert ?
Posted by Markus Mayer <my...@gmx.at>.
Then it seems I will have to find our more about the wildcard certificates,
maybe they will save me some work....
On Thursday 16 March 2006 15:49, Ryan McDonald wrote:
> Actually it is possible since a wildcard certificate is being used
>
> As long as each virtual host is valid for that certificate everything
> will work.
>
> Example wildcard certificate for *.mydomain.com
>
> and the following virtual hosts
>
> <VirtualHost *:80 *:443>
> ServerName www.mydomain.com
> ...
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
> ServerName www2.mydomain.com
> ...
> </VirtualHost>
>
>
> The wildcard certificate is valid for both virtual hosts so this
> scenario will work
>
> On 16-Mar-06, at 7:48 AM, Markus Mayer wrote:
> > Hi,
> >
> > OK, I didn't make my point very well actually. Yes it works even
> > when you
> > have multiple ssl hosts on the same IP. The problem is only one
> > certificate
> > is valid, and the browser will put up a message saying something
> > like the
> > certificate is valid but not issued for this host. This is the
> > thing that
> > doesn't work that I was talking about. As for a wildcard
> > certificate, I
> > actually haven't heard of one, which of course doesn't say they
> > don't exist.
> >
> > So, to answer your question, yes, what you have will run, but it
> > doesn't
> > really make much sence, especially if you have to provide a commercial
> > solution, as I do.
> >
> > greetings from Austria
> > Markus
> >
> > On Thursday 16 March 2006 12:55, Frédéric Jolliton wrote:
> >> Hi Markus,
> >>
> >> [..]
> >>
> >>>> Again, there is no problems with this config, but I was just
> >>>> wondering about its validity.
> >>
> >> [..]
> >>
> >>> Actually, having multiple HTTPS virtual hosts on the same IP address
> >>> is not possible becasue of limitations in SSL itself.
> >>
> >> Are you sure you read my message in details ? I presented a *working*
> >> configuration (I'm running it on my server.)
> >>
> >> It's possible to have several https virtual hosts on the same IP
> >> address (on the same port), as long as the certificate's 'cn' field
> >> match all the corresponding domain names. So you need a wildcard
> >> certificate (and client supporting at least one '*' wildcard.) And to
> >> be more precise, it works even without any valid 'cn' as long as the
> >> client process https without taking care of the certificate (useless
> >> and bad, but possible.)
> >>
> >> I asked because I would like to know if it's fine to configure the
> >> server as shown in my original message.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Are multiple ok with wildcard cert ?
Posted by Ryan McDonald <rm...@futurebrand.com>.
Actually it is possible since a wildcard certificate is being used
As long as each virtual host is valid for that certificate everything
will work.
Example wildcard certificate for *.mydomain.com
and the following virtual hosts
<VirtualHost *:80 *:443>
ServerName www.mydomain.com
...
</VirtualHost>
<VirtualHost *:80 *:443>
ServerName www2.mydomain.com
...
</VirtualHost>
The wildcard certificate is valid for both virtual hosts so this
scenario will work
On 16-Mar-06, at 7:48 AM, Markus Mayer wrote:
> Hi,
>
> OK, I didn't make my point very well actually. Yes it works even
> when you
> have multiple ssl hosts on the same IP. The problem is only one
> certificate
> is valid, and the browser will put up a message saying something
> like the
> certificate is valid but not issued for this host. This is the
> thing that
> doesn't work that I was talking about. As for a wildcard
> certificate, I
> actually haven't heard of one, which of course doesn't say they
> don't exist.
>
> So, to answer your question, yes, what you have will run, but it
> doesn't
> really make much sence, especially if you have to provide a commercial
> solution, as I do.
>
> greetings from Austria
> Markus
>
> On Thursday 16 March 2006 12:55, Frédéric Jolliton wrote:
>> Hi Markus,
>>
>> [..]
>>
>>>> Again, there is no problems with this config, but I was just
>>>> wondering about its validity.
>>
>> [..]
>>
>>> Actually, having multiple HTTPS virtual hosts on the same IP address
>>> is not possible becasue of limitations in SSL itself.
>>
>> Are you sure you read my message in details ? I presented a *working*
>> configuration (I'm running it on my server.)
>>
>> It's possible to have several https virtual hosts on the same IP
>> address (on the same port), as long as the certificate's 'cn' field
>> match all the corresponding domain names. So you need a wildcard
>> certificate (and client supporting at least one '*' wildcard.) And to
>> be more precise, it works even without any valid 'cn' as long as the
>> client process https without taking care of the certificate (useless
>> and bad, but possible.)
>>
>> I asked because I would like to know if it's fine to configure the
>> server as shown in my original message.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Are multiple ok with wildcard cert ?
Posted by Markus Mayer <my...@gmx.at>.
Hi,
OK, I didn't make my point very well actually. Yes it works even when you
have multiple ssl hosts on the same IP. The problem is only one certificate
is valid, and the browser will put up a message saying something like the
certificate is valid but not issued for this host. This is the thing that
doesn't work that I was talking about. As for a wildcard certificate, I
actually haven't heard of one, which of course doesn't say they don't exist.
So, to answer your question, yes, what you have will run, but it doesn't
really make much sence, especially if you have to provide a commercial
solution, as I do.
greetings from Austria
Markus
On Thursday 16 March 2006 12:55, Frédéric Jolliton wrote:
> Hi Markus,
>
> [..]
>
> >> Again, there is no problems with this config, but I was just
> >> wondering about its validity.
>
> [..]
>
> > Actually, having multiple HTTPS virtual hosts on the same IP address
> > is not possible becasue of limitations in SSL itself.
>
> Are you sure you read my message in details ? I presented a *working*
> configuration (I'm running it on my server.)
>
> It's possible to have several https virtual hosts on the same IP
> address (on the same port), as long as the certificate's 'cn' field
> match all the corresponding domain names. So you need a wildcard
> certificate (and client supporting at least one '*' wildcard.) And to
> be more precise, it works even without any valid 'cn' as long as the
> client process https without taking care of the certificate (useless
> and bad, but possible.)
>
> I asked because I would like to know if it's fine to configure the
> server as shown in my original message.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Are multiple ok with wildcard cert ?
Posted by Frédéric Jolliton <ht...@frederic.jolliton.com>.
Hi Markus,
[..]
>> Again, there is no problems with this config, but I was just
>> wondering about its validity.
[..]
> Actually, having multiple HTTPS virtual hosts on the same IP address
> is not possible becasue of limitations in SSL itself.
Are you sure you read my message in details ? I presented a *working*
configuration (I'm running it on my server.)
It's possible to have several https virtual hosts on the same IP
address (on the same port), as long as the certificate's 'cn' field
match all the corresponding domain names. So you need a wildcard
certificate (and client supporting at least one '*' wildcard.) And to
be more precise, it works even without any valid 'cn' as long as the
client process https without taking care of the certificate (useless
and bad, but possible.)
I asked because I would like to know if it's fine to configure the
server as shown in my original message.
--
Frédéric Jolliton
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Are multiple ok with wildcard cert ?
Posted by Markus Mayer <my...@gmx.at>.
Hi,
Actually, having multiple HTTPS virtual hosts on the same IP address is not
possible becasue of limitations in SSL itself.
The correct and only way to handle this is to use a different IP address for
each host for which you want an HTTPS. That means setting up your servers
net interface to have multipel IP addresses, which is a simple matter on all
systems (AIX is a kind of exception though).
You will need separate certificates for each virtual host for which you want
to have an HTTPS. The config is also relatively simple. An example is:
NameVirtualHost 123.123.123.20:80
<VirtualHost webmail.myserver.com:80>
ServerName webmail.myserver.com
DocumentRoot /usr/local/apache2/htdocs/mail
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
<VirtualHost 123.123.123.21:80>
ServerName www.myserver.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
NameVirtualHost 123.123.123.20:443
<VirtualHost webmail.myserver.com:443>
ServerName webmail.myserver.com
DocumentRoot /usr/local/apache2/htdocs/mail
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/webmail_2006.key
SSLCertificateKeyFile /usr/local/apache2/conf/webmail_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
<VirtualHost 123.123.123.21:443>
ServerName www.myserver.com
DocumentRoot /usr/local/apache2/htdocs
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/certs/www_2005.key
SSLCertificateKeyFile /usr/local/apache2/conf/lara3_priv.pem
SSLCACertificateFile /usr/local/apache2/conf/certs/ca-bundle2005.crt
# All other config goes here.......
</VirtualHost>
You do this for each virtual host, remembering to use the same IP adsress for
each virtual host in the corresponding HTTP and HTTPS virtual host configs.
The only thing left to worry about is the IP stack - if you have too many
IP's on the same network port, maybe your network connection will have
problems because the IP stack may not handle it very well.
Hope this helps.
greetings from Austria
Markus
On Thursday 16 March 2006 10:11, Frédéric Jolliton wrote:
> Hi,
>
> [I already sent this message to modssl ML, but since it's about
> Apache 2 I'm not sure if this place was more appropriate.]
>
> (Apache 2.0.55, Linux 2.6)
>
> I can't find authoritative answer about the following question.
>
> I would like to be sure that I can have multiple VirtualHost
> configured simultaneously for HTTP and HTTPS (port 80 and port 443
> respectively) as presented below.
>
> If I've a certificate with 'cn' to '*.example.com' and the following
> Apache configuration, is that ok ? Currently it works fine, but I'm
> not sure if I'm relying on some unspecified/undefined behaviors.
>
> Also, is this dummy VirtualHost (the first one) the correct way to
> "force" a given port to answer HTTP instead of HTTPS ? (I know that
> it's the other way, where the "first" virtual host with enabled SSL
> determine port with HTTPS.)
>
> Again, there is no problems with this config, but I was just wondering
> about its validity.
>
> -=-=-
> Listen 80
> Listen 443
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
> <VirtualHost *:80>
> # Dummy empty VirtualHost to ensure than port 80 is HTTP
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
> Include common-ssl.conf
> ServerName foo.example.com
> [..]
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
> Include common-ssl.conf
> ServerName bar.example.com
> [..]
> </VirtualHost>
> -=-=-
>
> and common-ssl.conf contains:
>
> -=-=-
> <IfModule mod_ssl.c>
> SSLEngine on
> SSLCertificateFile conf/ssl/web.example.com-cert.pem
> SSLCertificateKeyFile conf/ssl/web.example.com-key.pem
> SSLCertificateChainFile conf/ssl/root-cert.pem
> [.. other SSL options ..]
> </IfModule>
> -=-=-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org