You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joseph S <jk...@selectacast.net> on 2009/10/27 19:41:37 UTC
[users@httpd] apache 2.2.13 ssl problem: wrong certificate being served
I'm running: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8k
mod_jk/1.2.26
I have these two virtual hosts set up (I added a space between 'xten'
and 'it' to keep search engines from picking this email up) :
<VirtualHost 199.107.233.199:443 >
ServerName segments.xten it.com
<snip>
#use this virt host if the servername matches *.a.xten it.com
<VirtualHost 199.107.233.199:443 >
ServerName a.xten it.com
#ServerName can't have a *, it has to go in ServerAlias
ServerAlias *.a.xten it.com
I have these two virtual hosts because recently Firefox stopped
accepting our certificate that had *.*.xten it.com as the CN. I added a
new virtual host with a new certificate for *.a.xten it.com and this
setup works most of the time, but today I find that when I go to
https://thomasnet-m.a.xten it.com/ in Firefox I'm getting a ssl cert
warning because I'm getting the certificate for *.*.xten it.com instead
of the certificate for *.a.xten it.com. All other domains I have tried
like https://jks-m.a.xten it.com/ do work.
Now here's the kicker: When I click through the warning in Firefox my
logs show that I am going to the second virtual host, the one with the
that *.a certificate, even though I'm using the *.* certificate. So how
is it apache is sending me to the correct virtual host but serving up
the wrong certificate?
More tidbits:
I have the exact same setup on port 444, but port 444 is fine.
This was working for me yesterday. I restarted my desktop since then,
but not apache.
My browser is: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3)
Gecko/20090909 Fedora/3.5.3-1.fc11 Firefox/3.5.3
This problem has happened a few times since I installed the new
certificate but hasn't been reliably reproduceable.
Firefox 3.5.3 for windows (run in wine) does not have this problem.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.2.13 ssl problem: wrong certificate being
served
Posted by Joseph S <jk...@selectacast.net>.
OK sorry for the duplicate info. When I composed this my mail client
hadn't pulled down Eric's reply yet.
Joseph S wrote:
>
>
> Krist van Besien wrote:
>> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S <jk...@selectacast.net> wrote:
>>
>>
>>
>>> Now here's the kicker: When I click through the warning in Firefox
>>> my logs
>>> show that I am going to the second virtual host, the one with the
>>> that *.a certificate, even though I'm using the *.* certificate. So
>>> how is
>>> it apache is sending me to the correct virtual host but serving up
>>> the wrong
>>> certificate?
>>>
>>
>> At the moment that the SSL handshake takes place apache does not yet
>> know which Virtual Host you want to be served by, so it used the
>> certificate of the first host.
>>
>> Read this:
>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>
>>
> That documentation is old and needs to be updated. Since apache
> 2.2.12 you can have ssl name virtual hosts if you have a recent
> openssl library that supports RFC 4366. Like I said this is working
> for all my other *.a domains, just today it stopped working for this one.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.2.13 ssl problem: wrong certificate being
served
Posted by Joseph S <jk...@selectacast.net>.
Krist van Besien wrote:
> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S <jk...@selectacast.net> wrote:
>
>
>
>> Now here's the kicker: When I click through the warning in Firefox my logs
>> show that I am going to the second virtual host, the one with the
>> that *.a certificate, even though I'm using the *.* certificate. So how is
>> it apache is sending me to the correct virtual host but serving up the wrong
>> certificate?
>>
>
> At the moment that the SSL handshake takes place apache does not yet
> know which Virtual Host you want to be served by, so it used the
> certificate of the first host.
>
> Read this:
> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>
>
That documentation is old and needs to be updated. Since apache 2.2.12
you can have ssl name virtual hosts if you have a recent openssl library
that supports RFC 4366. Like I said this is working for all my other *.a
domains, just today it stopped working for this one.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Eric Covener <co...@gmail.com>.
> Can someone maybe, just a little bit, say something about what SNI might be,
> and/or point to some Apache doc related to it ?
> I feel (again) like some acronym passed me by.
> And yes, I'll go check that FAQ, but as of right now in Western Europe, it
> does not talk of SNI yet.
When a client issues a HTTP/1.1 requests, they supply the desired
Hostname in the Host: header. Apache uses this to determine which
name-based vhost to use.
When a client does HTTP over SSL, and both sides don't do SNI, Apache
has to perform the full handshake using parameters available before
the HTTP Host header is available -- currently just the IP and Port
the connection is being handled on. Apache can pick the cert and
cipher settings from the right IP-based vhost, but can't think about
ServerName/ServerAlias.
When a client does HTTP over SSL and both sides use SNI, the clients
initial TLS handshake includes a string that indicates the requested
servers hostname (Server Name Indication). A webserver and a security
library that understand this special extension can use it to select a
certificate/ciphers based on this very early information.
So net it's like the HTTP/1.1 Host: header but its stuffed into an
early handshake message, so the server can select handshake parameters
from name-based vhosts.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Joseph S <jk...@selectacast.net>.
André Warnier wrote:
>
> Can someone maybe, just a little bit, say something about what SNI
> might be, and/or point to some Apache doc related to it ?
> I feel (again) like some acronym passed me by.
> And yes, I'll go check that FAQ, but as of right now in Western
> Europe, it does not talk of SNI yet.
>
>
In the release notes for apache 2.2.12:
*) mod_ssl: Add server name indication support (RFC 4366) and better
support for name based virtual hosts with SSL. PR 34607
[Peter Sylvester <peter.sylvester edelweb.fr>,
Kaspar Brand <asfbugz velox.ch>, Guenter Knauf, Joe Orton,
Ruediger Pluem]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate being served
Posted by Jens Schleusener <Je...@t-systems-sfr.com>.
On Tue, 27 Oct 2009, Emmanuel Bailleul wrote:
>> Dan Poirier wrote:
>>> Eric Covener <co...@gmail.com> writes:
>>>
>>>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>>>> <kr...@gmail.com> wrote:
>>>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>>>> This doc is out of date due to SNI!
>>>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>>>> think it is allready an official feature in the 2.2 tree.
>>>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>>>> but SNI is present in 2.2.12 and later, if you're built against a
>>>> sufficient level of openssl.
>>>
>>> I just updated the FAQ. I'm not sure how long it'll take for the web
>>> site to update.
>>>
>>
>> Can someone maybe, just a little bit, say something about what SNI might
>> be, and/or point to some Apache doc related to it ?
>> I feel (again) like some acronym passed me by.
>> And yes, I'll go check that FAQ, but as of right now in Western Europe,
>> It does not talk of SNI yet.
>
> Hi,
>
> It's been in the Wiki for a while :
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
And a nice test site that may also help to increase SNI understandig:
https://sni.velox.ch/
Jens
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
>Emmanuel Bailleul wrote:
>
>> Hi,
>>
>> It's been in the Wiki for a while :
>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>>
>Thanks Eric and Emmanuel.
>I do remember now coming across the Wiki, and noticing this line, about
>browsers supporting SNI :
>
>Internet Explorer 7.0 or later (on Vista, not XP)
>
>Which was the one line to make me read the rest only in diagonals,
>because 99% of my corporate customers still use XP and not Vista (and
>probably never will use Vista).
>So, is the above item in the Wiki still actual, to anyone's knowledge ?
>
>If yes, then I'll just remember that for now Apache is ready to support
>it, but I can't use it yet because of my customers' browsers.
I recently did some tests on XP (pro) with IE7 & IE8 and came to the same conclusions.
BTW https://sni.velox.ch/ is a good place to learn & perform online checks about SNI support.
Regards.
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by André Warnier <aw...@ice-sa.com>.
Emmanuel Bailleul wrote:
> Hi,
>
> It's been in the Wiki for a while :
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>
Thanks Eric and Emmanuel.
I do remember now coming across the Wiki, and noticing this line, about
browsers supporting SNI :
Internet Explorer 7.0 or later (on Vista, not XP)
which was the one line to make me read the rest only in diagonals,
because 99% of my corporate customers still use XP and not Vista (and
probably never will use Vista).
So, is the above item in the Wiki still actual, to anyone's knowledge ?
If yes, then I'll just remember that for now Apache is ready to support
it, but I can't use it yet because of my customers' browsers.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by Emmanuel Bailleul <Em...@telindus.fr>.
>Dan Poirier wrote:
>> Eric Covener <co...@gmail.com> writes:
>>
>>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>>> <kr...@gmail.com> wrote:
>>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>>> This doc is out of date due to SNI!
>>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>>> think it is allready an official feature in the 2.2 tree.
>>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>>> but SNI is present in 2.2.12 and later, if you're built against a
>>> sufficient level of openssl.
>>
>> I just updated the FAQ. I'm not sure how long it'll take for the web
>> site to update.
>>
>
>Can someone maybe, just a little bit, say something about what SNI might
>be, and/or point to some Apache doc related to it ?
>I feel (again) like some acronym passed me by.
>And yes, I'll go check that FAQ, but as of right now in Western Europe,
>It does not talk of SNI yet.
Hi,
It's been in the Wiki for a while :
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Emmanuel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate
being served
Posted by André Warnier <aw...@ice-sa.com>.
Dan Poirier wrote:
> Eric Covener <co...@gmail.com> writes:
>
>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>> <kr...@gmail.com> wrote:
>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>> This doc is out of date due to SNI!
>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>> think it is allready an official feature in the 2.2 tree.
>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>> but SNI is present in 2.2.12 and later, if you're built against a
>> sufficient level of openssl.
>
> I just updated the FAQ. I'm not sure how long it'll take for the web
> site to update.
>
Can someone maybe, just a little bit, say something about what SNI might
be, and/or point to some Apache doc related to it ?
I feel (again) like some acronym passed me by.
And yes, I'll go check that FAQ, but as of right now in Western Europe,
it does not talk of SNI yet.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate being served
Posted by Dan Poirier <po...@pobox.com>.
Eric Covener <co...@gmail.com> writes:
> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
> <kr...@gmail.com> wrote:
>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>
>>> This doc is out of date due to SNI!
>>
>> The OP's version clearly doesn't yet support SNI obviously. I don't
>> think it is allready an official feature in the 2.2 tree.
>
> I couldn't tell for sure if OP was just the old default vhost FAQ --
> but SNI is present in 2.2.12 and later, if you're built against a
> sufficient level of openssl.
I just updated the FAQ. I'm not sure how long it'll take for the web
site to update.
--
Dan Poirier <po...@pobox.com>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.2.13 ssl problem: wrong certificate being
served
Posted by Eric Covener <co...@gmail.com>.
On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
<kr...@gmail.com> wrote:
> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>
>> This doc is out of date due to SNI!
>
> The OP's version clearly doesn't yet support SNI obviously. I don't
> think it is allready an official feature in the 2.2 tree.
I couldn't tell for sure if OP was just the old default vhost FAQ --
but SNI is present in 2.2.12 and later, if you're built against a
sufficient level of openssl.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.2.13 ssl problem: wrong certificate being
served
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Oct 27, 2009 at 2:50 PM, Krist van Besien
> <kr...@gmail.com> wrote:
>> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S <jk...@selectacast.net> wrote:
>>
>>
>>> Now here's the kicker: When I click through the warning in Firefox my logs
>>> show that I am going to the second virtual host, the one with the
>>> that *.a certificate, even though I'm using the *.* certificate. So how is
>>> it apache is sending me to the correct virtual host but serving up the wrong
>>> certificate?
>>
>> At the moment that the SSL handshake takes place apache does not yet
>> know which Virtual Host you want to be served by, so it used the
>> certificate of the first host.
>>
>> Read this:
>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>
> This doc is out of date due to SNI!
The OP's version clearly doesn't yet support SNI obviously. I don't
think it is allready an official feature in the 2.2 tree.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.2.13 ssl problem: wrong certificate being
served
Posted by Eric Covener <co...@gmail.com>.
On Tue, Oct 27, 2009 at 2:50 PM, Krist van Besien
<kr...@gmail.com> wrote:
> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S <jk...@selectacast.net> wrote:
>
>
>> Now here's the kicker: When I click through the warning in Firefox my logs
>> show that I am going to the second virtual host, the one with the
>> that *.a certificate, even though I'm using the *.* certificate. So how is
>> it apache is sending me to the correct virtual host but serving up the wrong
>> certificate?
>
> At the moment that the SSL handshake takes place apache does not yet
> know which Virtual Host you want to be served by, so it used the
> certificate of the first host.
>
> Read this:
> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
This doc is out of date due to SNI!
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache 2.2.13 ssl problem: wrong certificate being
served
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Oct 27, 2009 at 7:41 PM, Joseph S <jk...@selectacast.net> wrote:
> Now here's the kicker: When I click through the warning in Firefox my logs
> show that I am going to the second virtual host, the one with the
> that *.a certificate, even though I'm using the *.* certificate. So how is
> it apache is sending me to the correct virtual host but serving up the wrong
> certificate?
At the moment that the SSL handshake takes place apache does not yet
know which Virtual Host you want to be served by, so it used the
certificate of the first host.
Read this:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org