You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/02/05 02:42:08 UTC

DO NOT REPLY [Bug 41537] New: - name-based virtual hosts using SSL

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537

           Summary: name-based virtual hosts using SSL
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
               URL: http://httpd.apache.org/docs/2.0/en/vhosts/name-
                    based.html
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: minor
          Priority: P4
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: johannes@laemmermann.eu
                CC: johannes@laemmermann.eu


It's possible to use name-based virtual hosts wit SSL, with so called
multi-domain certificates.

The documentation, found at
http://httpd.apache.org/docs/2.0/en/vhosts/name-based.html, contains:
"Name-based virtual hosting cannot be used with SSL secure servers because of
the nature of the SSL protocol."

It should be corrected to:
"Name-based virtual hosting over SSL can only be used with so called
multi-domain certificates. More information can be found at
http://wiki.cacert.org/wiki/VhostTaskForce or
http://wiki.cacert.org/wiki/VhostsApache or
http://www.positivessl.com/ssl-certificate-products/ssl/multi-domain-ssl-certificate.html
"

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41537] - name-based virtual hosts using SSL

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537





------- Additional Comments From chuck.mcintyre@gmail.com  2007-02-20 19:28 -------
Actually, this is not just a documentation bug, httpd-2.2.4 has now broken
functionality that worked perfectly  in httpd-2.2.3 - that is name based
virtualhosting with wildcard certificates used to work, but now completely does
not, should I file a separate certificate for this?

This is running under Centos 4.4 (x86_64).

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41537] - name-based virtual hosts using SSL

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537





------- Additional Comments From johannes@laemmermann.eu  2007-02-14 19:45 -------
(In reply to comment #1)
> I, personally, would not make that change until I saw evidence that this 
works
> correctly for all major browsers without creating any certificate warnings.
OK - let's have a look at http://wiki.cacert.org/wiki/VhostTaskForce#head-
7236c4e2c9932ef42056b3ff6d367053081887de
Aditionally i've set up one of my boxes with ssl virtual-hosts: you can test 
them with every major browser, just install the cacert.org root certificate.
https://ssltest1.hardenberg-gymnasium.de
https://ssltest2.hardenberg-gymnasium.de

Anyway it's a good idea, to put it in the SSL FAQ and just link to the FAQ.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41537] - name-based virtual hosts using SSL

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537





------- Additional Comments From slive@apache.org  2007-02-06 07:24 -------
I, personally, would not make that change until I saw evidence that this works
correctly for all major browsers without creating any certificate warnings.

Even then, this is not a good place to through in a bunch of details that would
confuse an already very confusing issue.  It should go in the SSL FAQ.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41537] - name-based virtual hosts using SSL

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537


chuck.mcintyre@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |chuck.mcintyre@gmail.com




------- Additional Comments From chuck.mcintyre@gmail.com  2007-02-20 19:20 -------
(In reply to comment #1)
> I, personally, would not make that change until I saw evidence that this works
> correctly for all major browsers without creating any certificate warnings.

But it does. We use this in production today, I'm surprised this warning
suddenly started coming up, it's very obnoxious. Although slightly better than
the previous "cn does not match" error messsage.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41537] - name-based virtual hosts using SSL

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537





------- Additional Comments From wrowe@apache.org  2007-02-26 01:14 -------
While pointing out that name-based virtual hosts can potentially work with
alt-subject common names, or wild card certificates, it should also be pointed
out that they work with SSL Upgrade (although this is not used in practice
with any browser I'm aware of).  Mostly a coding thing.

This SHOULD be documented.  But it should also be stressed that these are all
complex solutions and are frequently misconfigured, and the explanation of WHY
a 'vanilla' named virtualhost with a 'vanilla' certificate just isn't possible.

At least to the level of detail that lets us kick users out of users@ into the
documentation at a reasonable starting point for them to solve their own issue.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41537] - name-based virtual hosts using SSL

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537





------- Additional Comments From jorton@redhat.com  2007-02-15 08:02 -------
IMO it would be vaguely irresponsible to present subjectAltName-based certs as a
"solution" to NBVH for SSL.  This is a nice hack but it's better as an
undocumented hack.

It only "works" insofar as the SSL configuration used for the configured vhosts
must be identical.  Users may be duped into thinking they can have different
SSL-level security requirements in the various vhosts: they will silently be
ignored.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 41537] - name-based virtual hosts using SSL

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41537>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537





------- Additional Comments From chuck.mcintyre@gmail.com  2007-02-20 19:35 -------
(In reply to comment #5)
> Actually, this is not just a documentation bug, httpd-2.2.4 has now broken
> functionality that worked perfectly  in httpd-2.2.3 - that is name based
> virtualhosting with wildcard certificates used to work, but now completely does
> not, should I file a separate certificate for this?

Nevermind - sorry for the spam here, but this is not true, just a documentation
thing.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org