apache 2.2.13 ssl problem: wrong certificate being served

I'm running: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8k
mod_jk/1.2.26

I have these two virtual hosts set up (I added a space between 'xten'
and 'it' to keep search engines from picking this email up) :



ServerName segments.xten it.com



#use this virt host if the servername matches *.a.xten it.com

ServerName a.xten it.com
#ServerName can't have a *, it has to go in ServerAlias
ServerAlias *.a.xten it.com


I have these two virtual hosts because recently Firefox stopped
accepting our certificate that had *.*.xten it.com as the CN. I added a
new virtual host with a new certificate for *.a.xten it.com and this
setup works most of the time, but today I find that when I go to
https://thomasnet-m.a.xten it.com/ in Firefox I'm getting a ssl cert
warning because I'm getting the certificate for *.*.xten it.com instead
of the certificate for *.a.xten it.com. All other domains I have tried
like https://jks-m.a.xten it.com/ do work.

Now here's the kicker: When I click through the warning in Firefox my
logs show that I am going to the second virtual host, the one with the
that *.a certificate, even though I'm using the *.* certificate. So how
is it apache is sending me to the correct virtual host but serving up
the wrong certificate?

More tidbits:
I have the exact same setup on port 444, but port 444 is fine.
This was working for me yesterday. I restarted my desktop since then,
but not apache.
My browser is: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3)
Gecko/20090909 Fedora/3.5.3-1.fc11 Firefox/3.5.3
This problem has happened a few times since I installed the new
certificate but hasn't been reliably reproduceable.
Firefox 3.5.3 for windows (run in wine) does not have this problem.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being

On Tue, Oct 27, 2009 at 7:41 PM, Joseph S wrote:


> Now here's the kicker: When I click through the warning in Firefox my log=
s
> show that I am going to the second virtual host, the one with the
> that *.a certificate, even though I'm using the *.* certificate. =A0So ho=
w is
> it apache is sending me to the correct virtual host but serving up the wr=
ong
> certificate?

At the moment that the SSL handshake takes place apache does not yet
know which Virtual Host you want to be served by, so it used the
certificate of the first host.

Read this:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

Krist


--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being

On Tue, Oct 27, 2009 at 2:50 PM, Krist van Besien
wrote:
> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S wrote:
>
>
>> Now here's the kicker: When I click through the warning in Firefox my lo=
gs
>> show that I am going to the second virtual host, the one with the
>> that *.a certificate, even though I'm using the *.* certificate. =A0So h=
ow is
>> it apache is sending me to the correct virtual host but serving up the w=
rong
>> certificate?
>
> At the moment that the SSL handshake takes place apache does not yet
> know which Virtual Host you want to be served by, so it used the
> certificate of the first host.
>
> Read this:
> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

This doc is out of date due to SNI!

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being

On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener wrote:
> On Tue, Oct 27, 2009 at 2:50 PM, Krist van Besien
> wrote:
>> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S wrote:
>>
>>
>>> Now here's the kicker: When I click through the warning in Firefox my l=
ogs
>>> show that I am going to the second virtual host, the one with the
>>> that *.a certificate, even though I'm using the *.* certificate. =A0So =
how is
>>> it apache is sending me to the correct virtual host but serving up the =
wrong
>>> certificate?
>>
>> At the moment that the SSL handshake takes place apache does not yet
>> know which Virtual Host you want to be served by, so it used the
>> certificate of the first host.
>>
>> Read this:
>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>
> This doc is out of date due to SNI!

The OP's version clearly doesn't yet support SNI obviously. I don't
think it is allready an official feature in the 2.2 tree.

Krist



--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being

On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
wrote:
> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener wrote:
>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>
>> This doc is out of date due to SNI!
>
> The OP's version clearly doesn't yet support SNI obviously. I don't
> think it is allready an official feature in the 2.2 tree.

I couldn't tell for sure if OP was just the old default vhost FAQ --
but SNI is present in 2.2.12 and later, if you're built against a
sufficient level of openssl.

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being served

Eric Covener writes:

> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
> wrote:
>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener wrote:
>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>
>>> This doc is out of date due to SNI!
>>
>> The OP's version clearly doesn't yet support SNI obviously. I don't
>> think it is allready an official feature in the 2.2 tree.
>
> I couldn't tell for sure if OP was just the old default vhost FAQ --
> but SNI is present in 2.2.12 and later, if you're built against a
> sufficient level of openssl.

I just updated the FAQ. I'm not sure how long it'll take for the web
site to update.

--
Dan Poirier


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: apache 2.2.13 ssl problem: wrong certificatebeing served

Dan Poirier wrote:
> Eric Covener writes:
>
>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>> wrote:
>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener wrote:
>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>> This doc is out of date due to SNI!
>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>> think it is allready an official feature in the 2.2 tree.
>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>> but SNI is present in 2.2.12 and later, if you're built against a
>> sufficient level of openssl.
>
> I just updated the FAQ. I'm not sure how long it'll take for the web
> site to update.
>

Can someone maybe, just a little bit, say something about what SNI might
be, and/or point to some Apache doc related to it ?
I feel (again) like some acronym passed me by.
And yes, I'll go check that FAQ, but as of right now in Western Europe,
it does not talk of SNI yet.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being served

Krist van Besien wrote:
> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S wrote:
>
>
>
>> Now here's the kicker: When I click through the warning in Firefox my logs
>> show that I am going to the second virtual host, the one with the
>> that *.a certificate, even though I'm using the *.* certificate. So how is
>> it apache is sending me to the correct virtual host but serving up the wrong
>> certificate?
>>
>
> At the moment that the SSL handshake takes place apache does not yet
> know which Virtual Host you want to be served by, so it used the
> certificate of the first host.
>
> Read this:
> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>
>
That documentation is old and needs to be updated. Since apache 2.2.12
you can have ssl name virtual hosts if you have a recent openssl library
that supports RFC 4366. Like I said this is working for all my other *.a
domains, just today it stopped working for this one.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: apache 2.2.13 ssl problem: wrong certificatebeing served

André Warnier wrote:
>
> Can someone maybe, just a little bit, say something about what SNI
> might be, and/or point to some Apache doc related to it ?
> I feel (again) like some acronym passed me by.
> And yes, I'll go check that FAQ, but as of right now in Western
> Europe, it does not talk of SNI yet.
>
>
In the release notes for apache 2.2.12:

*) mod_ssl: Add server name indication support (RFC 4366) and better
support for name based virtual hosts with SSL. PR 34607
[Peter Sylvester ,
Kaspar Brand , Guenter Knauf, Joe Orton,
Ruediger Pluem]



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being served

OK sorry for the duplicate info. When I composed this my mail client
hadn't pulled down Eric's reply yet.

Joseph S wrote:
>
>
> Krist van Besien wrote:
>> On Tue, Oct 27, 2009 at 7:41 PM, Joseph S wrote:
>>
>>
>>
>>> Now here's the kicker: When I click through the warning in Firefox
>>> my logs
>>> show that I am going to the second virtual host, the one with the
>>> that *.a certificate, even though I'm using the *.* certificate. So
>>> how is
>>> it apache is sending me to the correct virtual host but serving up
>>> the wrong
>>> certificate?
>>>
>>
>> At the moment that the SSL handshake takes place apache does not yet
>> know which Virtual Host you want to be served by, so it used the
>> certificate of the first host.
>>
>> Read this:
>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>
>>
> That documentation is old and needs to be updated. Since apache
> 2.2.12 you can have ssl name virtual hosts if you have a recent
> openssl library that supports RFC 4366. Like I said this is working
> for all my other *.a domains, just today it stopped working for this one.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: apache 2.2.13 ssl problem: wrong certificate

> Can someone maybe, just a little bit, say something about what SNI might be,
> and/or point to some Apache doc related to it ?
> I feel (again) like some acronym passed me by.
> And yes, I'll go check that FAQ, but as of right now in Western Europe, it
> does not talk of SNI yet.

When a client issues a HTTP/1.1 requests, they supply the desired
Hostname in the Host: header. Apache uses this to determine which
name-based vhost to use.

When a client does HTTP over SSL, and both sides don't do SNI, Apache
has to perform the full handshake using parameters available before
the HTTP Host header is available -- currently just the IP and Port
the connection is being handled on. Apache can pick the cert and
cipher settings from the right IP-based vhost, but can't think about
ServerName/ServerAlias.

When a client does HTTP over SSL and both sides use SNI, the clients
initial TLS handshake includes a string that indicates the requested
servers hostname (Server Name Indication). A webserver and a security
library that understand this special extension can use it to select a
certificate/ciphers based on this very early information.

So net it's like the HTTP/1.1 Host: header but its stuffed into an
early handshake message, so the server can select handshake parameters
from name-based vhosts.


--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Re: apache 2.2.13 ssl problem: wrong certificatebeing served

>Dan Poirier wrote:
>> Eric Covener writes:
>>
>>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>>> wrote:
>>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener wrot=
e:
>>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>>> This doc is out of date due to SNI!
>>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>>> think it is allready an official feature in the 2.2 tree.
>>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>>> but SNI is present in 2.2.12 and later, if you're built against a
>>> sufficient level of openssl.
>>=20
>> I just updated the FAQ. I'm not sure how long it'll take for the web
>> site to update.
>>=20
>
>Can someone maybe, just a little bit, say something about what SNI might=20
>be, and/or point to some Apache doc related to it ?
>I feel (again) like some acronym passed me by.
>And yes, I'll go check that FAQ, but as of right now in Western Europe,=20
>It does not talk of SNI yet.

Hi,

It's been in the Wiki for a while :
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Emmanuel=20

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: apache 2.2.13 ssl problem: wrong certificatebeing served

Emmanuel Bailleul wrote:

> Hi,
>
> It's been in the Wiki for a while :
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>
Thanks Eric and Emmanuel.
I do remember now coming across the Wiki, and noticing this line, about
browsers supporting SNI :

Internet Explorer 7.0 or later (on Vista, not XP)

which was the one line to make me read the rest only in diagonals,
because 99% of my corporate customers still use XP and not Vista (and
probably never will use Vista).
So, is the above item in the Wiki still actual, to anyone's knowledge ?

If yes, then I'll just remember that for now Apache is ready to support
it, but I can't use it yet because of my customers' browsers.





------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: apache 2.2.13 ssl problem: wrong certificate being served

On Tue, 27 Oct 2009, Emmanuel Bailleul wrote:

>> Dan Poirier wrote:
>>> Eric Covener writes:
>>>
>>>> On Tue, Oct 27, 2009 at 3:06 PM, Krist van Besien
>>>> wrote:
>>>>> On Tue, Oct 27, 2009 at 7:55 PM, Eric Covener wrote:
>>>>>>> http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
>>>>>> This doc is out of date due to SNI!
>>>>> The OP's version clearly doesn't yet support SNI obviously. I don't
>>>>> think it is allready an official feature in the 2.2 tree.
>>>> I couldn't tell for sure if OP was just the old default vhost FAQ --
>>>> but SNI is present in 2.2.12 and later, if you're built against a
>>>> sufficient level of openssl.
>>>
>>> I just updated the FAQ. I'm not sure how long it'll take for the web
>>> site to update.
>>>
>>
>> Can someone maybe, just a little bit, say something about what SNI might
>> be, and/or point to some Apache doc related to it ?
>> I feel (again) like some acronym passed me by.
>> And yes, I'll go check that FAQ, but as of right now in Western Europe,
>> It does not talk of SNI yet.
>
> Hi,
>
> It's been in the Wiki for a while :
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

And a nice test site that may also help to increase SNI understandig:

https://sni.velox.ch/

Jens

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Re: apache 2.2.13 ssl problem: wrong certificatebeing served

>Emmanuel Bailleul wrote:
>
>> Hi,
>>=20
>> It's been in the Wiki for a while :
>> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>>=20
>Thanks Eric and Emmanuel.
>I do remember now coming across the Wiki, and noticing this line, about=20
>browsers supporting SNI :
>
>Internet Explorer 7.0 or later (on Vista, not XP)
>
>Which was the one line to make me read the rest only in diagonals,=20
>because 99% of my corporate customers still use XP and not Vista (and=20
>probably never will use Vista).
>So, is the above item in the Wiki still actual, to anyone's knowledge ?
>
>If yes, then I'll just remember that for now Apache is ready to support=20
>it, but I can't use it yet because of my customers' browsers.

I recently did some tests on XP (pro) with IE7 & IE8 and came to the same c=
onclusions.
BTW https://sni.velox.ch/ is a good place to learn & perform online checks =
about SNI support.

Regards.

Emmanuel




------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org