You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jason Beebe <ja...@atalus.net> on 2005/09/20 08:22:03 UTC
[users@httpd] Virt Host not Working under SSL
Hi,
I am running Apache 2. I am quite familiar with 1 and 2, but I am having a
odd problem with the Virtual Hosts on my Apache 2 server. All of the domains
run off of a single domain.
Here is what is baffling me. I have 3 virt host records in ssl.conf. When
accessing any of the domains through http, they all display fine. One of the
3 domains has always had a cert, and it worked. However, the other two
recently needed SSL as well.
I am using basically an unedited version of ssl.conf, a side from the
modifications of the virtual host directives.
The odd part is, when I access the domains with https://, it pulls the
proper file, so it using the correct doc root for each directive, however,
it throws a SSL cert warning that the cert name doesn't match the domain
name. Upon viewing it, it is saying the name is the cert from the first SSL
virt host directive. This is quite reminiscent of when a domain not configed
properly in apache will default to the first entry that uses the same IP the
FQND is assigned to.
So what is so baffling to me is when accessing the domain via https:// it
does pull up the proper website, but Apache looks like it is defaulting to
the key/crt pair of the first entry.
I've viewed each key/cert to make sure somehow an exact copy wasn't
overwritten another. They are all unique.
Please let me know what the problem is here. I have never experienced this
under Apache1.3.
Below is the ssl.conf (I've only edited the file names and IP ever so
slightly. I 100% assure you there were no typos that would concern us as to
what the real file names were). The certs are from freessl.com 's RapidSSL.
I have mentioned 3 domains, but I scrapped the directive for the third one
until I can get it working with just 2.
ssl.conf -------------------------------------
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
<IfDefine SSL>
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:/usr/local/httpd/logs/ssl_scache(512000)
#SSLSessionCache shmcb:/usr/local/httpd/logs/ssl_scache(512000)
SSLSessionCache dbm:/usr/local/httpd/logs/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/usr/local/httpd/logs/ssl_mutex
##
## SSL Virtual Host Context
##
NameVirtualHost 67.15.107.000:443
<VirtualHost 67.15.107.000:443>
DocumentRoot "/www/cftb.com"
ServerName www.cftb.com:443
ServerAdmin admin@cftb.com
ErrorLog /usr/local/httpd/logs/error_log
TransferLog /usr/local/httpd/logs/access_log
SSLEngine On
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/httpd/conf/ssl.crt/cftb.com.crt
SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/cftb.com.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/httpd/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost 67.15.107.000:443>
DocumentRoot "/www/50b.com"
ServerName www.50b.com:443
ServerAdmin admin@50b.com
ErrorLog /usr/local/httpd/logs/error_log
TransferLog /usr/local/httpd/logs/access_log
SSLEngine On
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/httpd/conf/ssl.crt/50b.com.crt
SSLCertificateKeyFile /usr/local/httpd/conf/ssl.key/50b.com.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/httpd/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Virt Host not Working under SSL
Posted by Dmitriy Kirhlarov <dk...@oilspace.com>.
On Tue, Sep 20, 2005 at 09:08:09AM +0200, Davide Bianchi wrote:
> Dmitriy Kirhlarov wrote:
> > I think it possible with some trics.
> > 1. SSL certificate with more them 1 DNS-names. (see openssl.cnf for subjectAltNames)
>
> You'll still receive a warning from your browser that complains about
> the fact that the 'certificate doesn't match the name of the site'.
Hm.. You sure?
We _have_ site name in the certificate.
It work for me with ldap, but I never try this with apache.
WBR
--
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 095 105 7247 F:+7 095 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Virt Host not Working under SSL
Posted by Davide Bianchi <da...@onlyforfun.net>.
Dmitriy Kirhlarov wrote:
> I think it possible with some trics.
> 1. SSL certificate with more them 1 DNS-names. (see openssl.cnf for subjectAltNames)
You'll still receive a warning from your browser that complains about
the fact that the 'certificate doesn't match the name of the site'.
Davide
--
Is there a tape drive that isn't a DLT that doesn't suck dead weasels
through a lint-clogged dryer hose?
--Peter da Silva
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Virt Host not Working under SSL
Posted by Dmitriy Kirhlarov <dk...@oilspace.com>.
On Tue, Sep 20, 2005 at 08:39:02AM +0200, Krist van Besien wrote:
> On 9/20/05, Jason Beebe <ja...@atalus.net> wrote:
>
> > So what is so baffling to me is when accessing the domain via https:// it
> > does pull up the proper website, but Apache looks like it is defaulting to
> > the key/crt pair of the first entry.
>
> >From the Apache SSL FAQ:
BUT!
I think it possible with some trics.
1. SSL certificate with more them 1 DNS-names. (see openssl.cnf for subjectAltNames)
2. Squid, installed in accelerator mode. SSL layer terminate on the Squid. Connection squid-apache -- plain HTTP without SSL (may be, redirector, for example, jesred http://www.scn.rain.com/pub/network/www/ must be used).
Not very easy and need experiments, but I think it possible.
WBR
--
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 095 105 7247 F:+7 095 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Virt Host not Working under SSL
Posted by Jason Beebe <ja...@atalus.net>.
So my only option is to get a new IP address assigned for each?
Thanks for the quick reply.
-----Original Message-----
From: Krist van Besien [mailto:krist.vanbesien@gmail.com]
Sent: Monday, September 19, 2005 11:39 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Virt Host not Working under SSL
On 9/20/05, Jason Beebe <ja...@atalus.net> wrote:
> So what is so baffling to me is when accessing the domain via https:// it
> does pull up the proper website, but Apache looks like it is defaulting to
> the key/crt pair of the first entry.
>>From the Apache SSL FAQ:
"Why is it not possible to use Name-Based Virtual Hosting to identify
different SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying
different virtual hosts. It allows you to use the same IP address and
the same port number for many different sites. When people move on to
SSL, it seems natural to assume that the same method can be used to
have lots of different SSL virtual hosts on the same server.
It comes as rather a shock to learn that it is impossible.
The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the problem is that the SSL session
is a separate transaction that takes place before the HTTP session
even starts. Therefore all the server receives is an SSL request on IP
address X and port Y (usually 443). Since the SSL request does not
contain any Host: field, the server has no way to decide which SSL
virtual host to use. Usually, it will just use the first one it finds
that matches the port and IP address."
Krist
--
krist.vanbesien@gmail.com
Solothurn, Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Virt Host not Working under SSL
Posted by Krist van Besien <kr...@gmail.com>.
On 9/20/05, Jason Beebe <ja...@atalus.net> wrote:
> So what is so baffling to me is when accessing the domain via https:// it
> does pull up the proper website, but Apache looks like it is defaulting to
> the key/crt pair of the first entry.
>From the Apache SSL FAQ:
"Why is it not possible to use Name-Based Virtual Hosting to identify
different SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying
different virtual hosts. It allows you to use the same IP address and
the same port number for many different sites. When people move on to
SSL, it seems natural to assume that the same method can be used to
have lots of different SSL virtual hosts on the same server.
It comes as rather a shock to learn that it is impossible.
The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the problem is that the SSL session
is a separate transaction that takes place before the HTTP session
even starts. Therefore all the server receives is an SSL request on IP
address X and port Y (usually 443). Since the SSL request does not
contain any Host: field, the server has no way to decide which SSL
virtual host to use. Usually, it will just use the first one it finds
that matches the port and IP address."
Krist
--
krist.vanbesien@gmail.com
Solothurn, Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org