You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sander Temme <sc...@apache.org> on 2007/03/19 07:04:10 UTC
[users@httpd] Request for Input: ApacheCon SSL Training
Dear list,
As I prepare my training session title "Practical SSL Implementation
with Apache" for the upcoming ApacheCon EU conference, I would like
to take a moment and request your feedback.
http://www.eu.apachecon.com/program/talk/120
If you were to attend a half day training session on SSL and Apache,
what would you like to see covered? I will be discussing, among
other topics:
*) Configuring Apache httpd as an SSL server, starting with a
practical configuration and building from there
*) A concise discussion of the cryptography behind the whole
thing, to provide context
*) Working with Certificate Authorities and Public Key Infrastructure
*) Client-side Certificate Authentication
*) Integration of SSL with application code
In doing my research I see that there is a lot of half-valid, well
hidden information out there on the various topics and I'd love to
present it all in one place at the training. I'll have to see what I
can squeeze into a half day--I could talk for days about this stuff
and still not be done. Any recommendations regarding the material or
where the emphasis should be? Holes I need to fill? Suggestions are
welcome privately or to the list.
Thanks,
Sander
--
sctemme@apache.org http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
RE: [users@httpd] Request for Input: ApacheCon SSL Training
Posted by Chirouze Olivier <ol...@volvo.com>.
Hi Issac, thanks for the info.
I'll read the RFC carefully.
Regarding mod_ssl, a quick look at the FAQ doesn't seem to prove it's
supported: http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
Could you give more information about potential mod_ssl supporting name
based vhosts? I suppose the FAQ could be out of date...
Thanks,
Olivier
Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
> -----Original Message-----
> From: Issac Goldstand [mailto:margol@beamartyr.net]
> Sent: 19 March 2007 11:15
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Request for Input: ApacheCon SSL Training
>
> Wildcard support shouldn't have to be official, because there *is*
> name-based virtualhost support for SSL. It's well documented in RFC
> 2817 and 2818 and according to the cipher list, is supported by most
> recent versions of mod_ssl in Apache 2.x
>
> If you want to push "how to better allow for name-based SSL", it
> shouldn't be to find more workarounds - it should be about how to get
> the existing standards into more servers and browsers and
> make their use
> a standard practice.
>
> Just my $0.02,
> Issac
>
>
> Chirouze Olivier wrote:
> > Hi,
> >
> > I'm sorry I always insist on wildcard certificates being
> not officialy
> > supported by Apache, but I think that's something to know
> about. You can
> > save a bunch of dollars a year with this trick ;-)
> >
> > Here's what I recently wrote for a doc, feel free to
> correct me if I'm
> > wrong:
> >
> >
> --------------------------------------------------------------
> ----------
> > ------------------------------------
> > Name based virtual hosting is not officially compatible with HTTPS.
> >
> > The reason is:
> > 1) the request received by Apache is encrypted: only the source and
> > destination IP addresses can be read by Apache (it is in
> the TCP header,
> > not the encrypted HTTP request)
> > 2) for this reason, when using name based virtual host, no virtual
> > host can be associated with the HTTPS request
> > 3) by default, the first SSLCertificateFile directive found is
> > used: the first SSL certificate found is used
> >
> > However, if a single "wildcard" certificate is used by all
> virtual hosts
> > on the same IP, then:
> > 4) the first certificate found is correct
> > 5) the request can be decrypted
> > 6) the server name can now be read and the right virtual host is
> > found
> > 7) the rest of the process is similar to normal HTTP
> >
> > A few consequences:
> > - it only works because all the virtual hosts on the same IP use
> > the same SSL certificate
> > - because they are virtual hosts with different names (hence the
> > "name based"), the certificate can only be a "wildcard"
> certificate...
> > - when using this "unsupported feature" it is very important to
> > make it clear that the virtual hosts use the same certificate => for
> > example, move the "SSLCertificateFile" directive in a file
> and include
> > it in all your virtual hosts. Then a change in this file
> will clearly
> > affect all your virtual hosts.
> >
> > Very logically, wildcard certificates aren't officially supported by
> > Apache either.
> >
> > Apache, when starting up, compares the server name of the SSL
> > certificate with the configuration (virtual host) server name.
> > Thus, when using a wildcard certificate, you will get such
> a warning at
> > startup:
> >
> > [Fri Jul 21 13:40:10 2006] [warn] RSA server certificate
> CommonName (CN)
> > `*.myserver.com' does NOT match server name!?
> >
> > See:
> > -
> >
> http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbo
> x/%3C20051
> > 214183548.6B3CC184@ajax.apache.org%3E
> > - http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html
> >
> > Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
> >
> >
> --------------------------------------------------------------
> ----------
> > ------------------------------------
> >
> > I'd be proud if I can help for ApacheCon ;-)
> >
> > Olivier
> >
> > Olivier CHIROUZE
> > I&0 Infrastructure
> > Volvo Information Technology
> >
> >
> >
> >> -----Original Message-----
> >> From: Vincent Bray [mailto:noodlet@gmail.com]
> >> Sent: 19 March 2007 10:09
> >> To: users@httpd.apache.org
> >> Subject: Re: [users@httpd] Request for Input: ApacheCon
> SSL Training
> >>
> >> On 19/03/07, Sander Temme <sc...@apache.org> wrote:
> >>
> >>> Dear list,
> >>>
> >>> As I prepare my training session title "Practical SSL
> Implementation
> >>> with Apache" for the upcoming ApacheCon EU conference, I
> would like
> >>> to take a moment and request your feedback.
> >>>
> >> #apache on freenode commonly sees quesions from people
> confused by the
> >> various certificate formats and by the openssl command (hardly
> >> surprising considering its man page). Perhaps some coverage of the
> >> difference between pem/der/crt/whatever, and maybe ways to
> >> validate/convert those formats?
> >>
> >> I can't attend the conference but I hope it turns out well,
> >> good luck :)
> >>
> >> --
> >> noodl
> >>
> >>
> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP
> >> Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >>
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Request for Input: ApacheCon SSL Training
Posted by Issac Goldstand <ma...@beamartyr.net>.
Wildcard support shouldn't have to be official, because there *is*
name-based virtualhost support for SSL. It's well documented in RFC
2817 and 2818 and according to the cipher list, is supported by most
recent versions of mod_ssl in Apache 2.x
If you want to push "how to better allow for name-based SSL", it
shouldn't be to find more workarounds - it should be about how to get
the existing standards into more servers and browsers and make their use
a standard practice.
Just my $0.02,
Issac
Chirouze Olivier wrote:
> Hi,
>
> I'm sorry I always insist on wildcard certificates being not officialy
> supported by Apache, but I think that's something to know about. You can
> save a bunch of dollars a year with this trick ;-)
>
> Here's what I recently wrote for a doc, feel free to correct me if I'm
> wrong:
>
> ------------------------------------------------------------------------
> ------------------------------------
> Name based virtual hosting is not officially compatible with HTTPS.
>
> The reason is:
> 1) the request received by Apache is encrypted: only the source and
> destination IP addresses can be read by Apache (it is in the TCP header,
> not the encrypted HTTP request)
> 2) for this reason, when using name based virtual host, no virtual
> host can be associated with the HTTPS request
> 3) by default, the first SSLCertificateFile directive found is
> used: the first SSL certificate found is used
>
> However, if a single "wildcard" certificate is used by all virtual hosts
> on the same IP, then:
> 4) the first certificate found is correct
> 5) the request can be decrypted
> 6) the server name can now be read and the right virtual host is
> found
> 7) the rest of the process is similar to normal HTTP
>
> A few consequences:
> - it only works because all the virtual hosts on the same IP use
> the same SSL certificate
> - because they are virtual hosts with different names (hence the
> "name based"), the certificate can only be a "wildcard" certificate...
> - when using this "unsupported feature" it is very important to
> make it clear that the virtual hosts use the same certificate => for
> example, move the "SSLCertificateFile" directive in a file and include
> it in all your virtual hosts. Then a change in this file will clearly
> affect all your virtual hosts.
>
> Very logically, wildcard certificates aren't officially supported by
> Apache either.
>
> Apache, when starting up, compares the server name of the SSL
> certificate with the configuration (virtual host) server name.
> Thus, when using a wildcard certificate, you will get such a warning at
> startup:
>
> [Fri Jul 21 13:40:10 2006] [warn] RSA server certificate CommonName (CN)
> `*.myserver.com' does NOT match server name!?
>
> See:
> -
> http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbox/%3C20051
> 214183548.6B3CC184@ajax.apache.org%3E
> - http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html
>
> Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>
> ------------------------------------------------------------------------
> ------------------------------------
>
> I'd be proud if I can help for ApacheCon ;-)
>
> Olivier
>
> Olivier CHIROUZE
> I&0 Infrastructure
> Volvo Information Technology
>
>
>
>> -----Original Message-----
>> From: Vincent Bray [mailto:noodlet@gmail.com]
>> Sent: 19 March 2007 10:09
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] Request for Input: ApacheCon SSL Training
>>
>> On 19/03/07, Sander Temme <sc...@apache.org> wrote:
>>
>>> Dear list,
>>>
>>> As I prepare my training session title "Practical SSL Implementation
>>> with Apache" for the upcoming ApacheCon EU conference, I would like
>>> to take a moment and request your feedback.
>>>
>> #apache on freenode commonly sees quesions from people confused by the
>> various certificate formats and by the openssl command (hardly
>> surprising considering its man page). Perhaps some coverage of the
>> difference between pem/der/crt/whatever, and maybe ways to
>> validate/convert those formats?
>>
>> I can't attend the conference but I hope it turns out well,
>> good luck :)
>>
>> --
>> noodl
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP
>> Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Request for Input: ApacheCon SSL Training
Posted by Chirouze Olivier <ol...@volvo.com>.
Hi,
I'm sorry I always insist on wildcard certificates being not officialy
supported by Apache, but I think that's something to know about. You can
save a bunch of dollars a year with this trick ;-)
Here's what I recently wrote for a doc, feel free to correct me if I'm
wrong:
------------------------------------------------------------------------
------------------------------------
Name based virtual hosting is not officially compatible with HTTPS.
The reason is:
1) the request received by Apache is encrypted: only the source and
destination IP addresses can be read by Apache (it is in the TCP header,
not the encrypted HTTP request)
2) for this reason, when using name based virtual host, no virtual
host can be associated with the HTTPS request
3) by default, the first SSLCertificateFile directive found is
used: the first SSL certificate found is used
However, if a single "wildcard" certificate is used by all virtual hosts
on the same IP, then:
4) the first certificate found is correct
5) the request can be decrypted
6) the server name can now be read and the right virtual host is
found
7) the rest of the process is similar to normal HTTP
A few consequences:
- it only works because all the virtual hosts on the same IP use
the same SSL certificate
- because they are virtual hosts with different names (hence the
"name based"), the certificate can only be a "wildcard" certificate...
- when using this "unsupported feature" it is very important to
make it clear that the virtual hosts use the same certificate => for
example, move the "SSLCertificateFile" directive in a file and include
it in all your virtual hosts. Then a change in this file will clearly
affect all your virtual hosts.
Very logically, wildcard certificates aren't officially supported by
Apache either.
Apache, when starting up, compares the server name of the SSL
certificate with the configuration (virtual host) server name.
Thus, when using a wildcard certificate, you will get such a warning at
startup:
[Fri Jul 21 13:40:10 2006] [warn] RSA server certificate CommonName (CN)
`*.myserver.com' does NOT match server name!?
See:
-
http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbox/%3C20051
214183548.6B3CC184@ajax.apache.org%3E
- http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html
Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
------------------------------------------------------------------------
------------------------------------
I'd be proud if I can help for ApacheCon ;-)
Olivier
Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
> -----Original Message-----
> From: Vincent Bray [mailto:noodlet@gmail.com]
> Sent: 19 March 2007 10:09
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Request for Input: ApacheCon SSL Training
>
> On 19/03/07, Sander Temme <sc...@apache.org> wrote:
> > Dear list,
> >
> > As I prepare my training session title "Practical SSL Implementation
> > with Apache" for the upcoming ApacheCon EU conference, I would like
> > to take a moment and request your feedback.
>
> #apache on freenode commonly sees quesions from people confused by the
> various certificate formats and by the openssl command (hardly
> surprising considering its man page). Perhaps some coverage of the
> difference between pem/der/crt/whatever, and maybe ways to
> validate/convert those formats?
>
> I can't attend the conference but I hope it turns out well,
> good luck :)
>
> --
> noodl
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Request for Input: ApacheCon SSL Training
Posted by Vincent Bray <no...@gmail.com>.
On 19/03/07, Sander Temme <sc...@apache.org> wrote:
> Dear list,
>
> As I prepare my training session title "Practical SSL Implementation
> with Apache" for the upcoming ApacheCon EU conference, I would like
> to take a moment and request your feedback.
#apache on freenode commonly sees quesions from people confused by the
various certificate formats and by the openssl command (hardly
surprising considering its man page). Perhaps some coverage of the
difference between pem/der/crt/whatever, and maybe ways to
validate/convert those formats?
I can't attend the conference but I hope it turns out well, good luck :)
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org