certificate weirdness

I'm doing something wrong in my config file. For some reason, when
pointed to https://calendar.mydomain.ca the browser tells me the
security certificate belongs to mail.mydomain.ca even though the two
domains have been configured with different certificates.

Could anyone shed some light, please? Thanks in advance.

##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##

Listen 80
Listen 443


............................................................ ....................

NameVirtualHost *:80
NameVirtualHost *:443

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.


ServerAdmin web@mydomain.org
DocumentRoot /var/www/virthosts/mail
ServerName mail.mydomain.org
Redirect / https://mail.mydomain.org/



ServerAdmin web@mydomain.org
DocumentRoot /var/www/virthosts/calendar
ServerName calendar.mydomain.org
Redirect / https://calendar.mydomain.org/



##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##

#
# Some MIME-types for downloading Certificates and CRLs
#

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl




# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin

# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300

# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex sem

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLRandomSeed startup file:/dev/arandom 512

# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog logs/ssl_engine_log
SSLLogLevel info





##
## SSL Virtual Host Context
##


ServerAdmin web@mydomain.org
DocumentRoot /var/www/virthosts/mail
ServerName mail.mydomain.org
SSLEngine on
SSLCertificateFile /etc/ssl/webmail.crt
SSLCertificateKeyFile /etc/ssl/private/webmail.key

SSLRequireSsl




ServerAdmin web@mydomain.org
DocumentRoot /var/www/virthosts/calendar
ServerName calendar.mydomain.org
SSLEngine on
SSLCertificateFile /etc/ssl/calendar.crt
SSLCertificateKeyFile /etc/ssl/private/calendar.key

SSLRequireSsl


Order allow,deny
Allow from all


SetHandler perl-script
PerlHandler Apache::Registry
#PerlHandler Apache::PerlRun
Options ExecCGI
PerlSendHeader On


#

# General setup for the virtual host
#DocumentRoot /var/www/htdocs
#ServerName new.host.name
#ServerAdmin you@your.address
#ErrorLog logs/error_log
#TransferLog logs/access_log

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time.
SSLCertificateFile /etc/ssl/server.crt

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file.
SSLCertificateKeyFile /etc/ssl/private/server.key

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /var/www/conf/ssl.crt
#SSLCACertificateFile /var/www/conf/ssl.crt/ca-bundle.crt

# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10

# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#

# SSL Engine Options:
# Set various options for the SSL engine.
# FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# CompatEnvVars:
# This exports obsolete environment variables for backward compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
# to provide compatibility to existing CGI scripts.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars

# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog logs/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"





____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: certificate weirdness

Hello Vlad,

You are trying to use NameVirtualHost for ssl which
will not work. Basically which cert does it use? The
ssl connection needs to be setup before the site name
(hence virtual host and cert) can be established by
apache.

You'll need two IPs, or use different ports (yuck).

Regards
Matt

--- Vlad Ciubotariu wrote:

> I'm doing something wrong in my config file. For
> some reason, when
> pointed to https://calendar.mydomain.ca the browser
> tells me the
> security certificate belongs to mail.mydomain.ca
> even though the two
> domains have been configured with different
> certificates.
>=20
> Could anyone shed some light, please? Thanks in
> advance.
>=20
> ##
> ## SSL Support
> ##
> ## When we also provide SSL we have to listen to
> the=20
> ## standard HTTP port (see above) and to the HTTPS
> port
> ##
>
> Listen 80
> Listen 443
>
>=20
>
............................................................ ..............=
.......
>=20
> NameVirtualHost *:80
> NameVirtualHost *:443
>=20
> #
> # VirtualHost example:
> # Almost any Apache directive may go into a
> VirtualHost container.
>=20
>
> ServerAdmin web@mydomain.org
> DocumentRoot /var/www/virthosts/mail
> ServerName mail.mydomain.org
> Redirect / https://mail.mydomain.org/
>
>=20
>
> ServerAdmin web@mydomain.org
> DocumentRoot /var/www/virthosts/calendar
> ServerName calendar.mydomain.org
> Redirect / https://calendar.mydomain.org/
>
>=20
>=20
> ##
> ## SSL Global Context
> ##
> ## All SSL configuration in this context applies
> both to
> ## the main server and all SSL-enabled virtual
> hosts.
> ##
>=20
> #
> # Some MIME-types for downloading Certificates and
> CRLs
> #
>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
>
>=20
>
>=20
> # Pass Phrase Dialog:
> # Configure the pass phrase gathering process.
> # The filtering dialog program (`builtin' is a
> internal
> # terminal dialog) has to provide the pass phrase
> on stdout.
> SSLPassPhraseDialog builtin
>=20
> # Inter-Process Session Cache:
> # Configure the SSL Session Cache: First either
> `none'
> # or `dbm:/path/to/file' for the mechanism to use
> and
> # second the expiring timeout (in seconds).
> SSLSessionCache dbm:logs/ssl_scache
> SSLSessionCacheTimeout 300
>=20
> # Semaphore:
> # Configure the path to the mutual exclusion
> semaphore the
> # SSL engine uses internally for inter-process
> synchronization.=20
> SSLMutex sem
>=20
> # Pseudo Random Number Generator (PRNG):
> # Configure one or more sources to seed the PRNG
> of the=20
> # SSL library. The seed data should be of good
> random quality.
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> #SSLRandomSeed startup file:/dev/random 512
> #SSLRandomSeed startup file:/dev/urandom 512
> #SSLRandomSeed connect file:/dev/random 512
> #SSLRandomSeed connect file:/dev/urandom 512
> SSLRandomSeed startup file:/dev/arandom 512
>=20
> # Logging:
> # The home of the dedicated SSL protocol logfile.
> Errors are
> # additionally duplicated in the general error log
> file. Put
> # this somewhere where it cannot be used for
> symlink attacks on
> # a real server (i.e. somewhere where only root
> can write).
> # Log levels are (ascending order: higher ones
> include lower ones):
> # none, error, warn, info, trace, debug.
> SSLLog logs/ssl_engine_log
> SSLLogLevel info
>=20
>
>=20
>
>=20
> ##
> ## SSL Virtual Host Context
> ##
>=20
>
> ServerAdmin web@mydomain.org
> DocumentRoot /var/www/virthosts/mail
> ServerName mail.mydomain.org
> SSLEngine on
> SSLCertificateFile /etc/ssl/webmail.crt
> SSLCertificateKeyFile
> /etc/ssl/private/webmail.key
>
> SSLRequireSsl
>
>
>=20
>
> ServerAdmin web@mydomain.org
> DocumentRoot /var/www/virthosts/calendar
> ServerName calendar.mydomain.org
> SSLEngine on
> SSLCertificateFile /etc/ssl/calendar.crt
> SSLCertificateKeyFile
> /etc/ssl/private/calendar.key
>
> SSLRequireSsl
>
>
> Order allow,deny
> Allow from all
>
>
> SetHandler perl-script
> PerlHandler Apache::Registry
> #PerlHandler Apache::PerlRun
> Options ExecCGI
> PerlSendHeader On
>
>
> #
>
> # General setup for the virtual host
> #DocumentRoot /var/www/htdocs
> #ServerName new.host.name
> #ServerAdmin you@your.address
> #ErrorLog logs/error_log
> #TransferLog logs/access_log
>=20
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
>=20
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to
> negotiate.
> # See the mod_ssl documentation for a complete
> list.
> #SSLCipherSuite
> ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>=20
> # Server Certificate:
> # Point SSLCertificateFile at a PEM encoded
> certificate. If
> # the certificate is encrypted, then you will be
> prompted for a
> # pass phrase. Note that a kill -HUP will prompt
> again. A test
> # certificate can be generated with `make
> certificate' under
> # built time.
> SSLCertificateFile /etc/ssl/server.crt
>=20
> # Server Private Key:
> # If the key is not combined with the certificate,
> use=20
===3D message truncated ===3D



=09
____________________________________________________
Start your day with Yahoo! - make it your home page=20
http://www.yahoo.com/r/hs=20
=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: certificate weirdness

I've finally got it to work. I possibly see why it didn't work from the first
place.

Mod_ssl handles encryption before httpd even sees the url. Thus I can't set
certifaces in or name-based containers.

Thanks!



On Wed, Jul 27, 2005 at 06:49:12AM -0700, Matt Stevenson wrote:
> Hello Vlad,
>
> You are trying to use NameVirtualHost for ssl which
> will not work. Basically which cert does it use? The
> ssl connection needs to be setup before the site name
> (hence virtual host and cert) can be established by
> apache.
>
> You'll need two IPs, or use different ports (yuck).
>
> Regards
> Matt
>
> --- Vlad Ciubotariu wrote:
>
> > I'm doing something wrong in my config file. For
> > some reason, when
> > pointed to https://calendar.mydomain.ca the browser
> > tells me the
> > security certificate belongs to mail.mydomain.ca
> > even though the two
> > domains have been configured with different
> > certificates.
> >
> > Could anyone shed some light, please? Thanks in
> > advance.
> >
> > ##
> > ## SSL Support
> > ##
> > ## When we also provide SSL we have to listen to
> > the
> > ## standard HTTP port (see above) and to the HTTPS
> > port
> > ##
> >
> > Listen 80
> > Listen 443
> >
> >
> >
> ............................................................ ...................
> >
> > NameVirtualHost *:80
> > NameVirtualHost *:443
> >
> > #
> > # VirtualHost example:
> > # Almost any Apache directive may go into a
> > VirtualHost container.
> >
> >
> > ServerAdmin web@mydomain.org
> > DocumentRoot /var/www/virthosts/mail
> > ServerName mail.mydomain.org
> > Redirect / https://mail.mydomain.org/
> >
> >
> >
> > ServerAdmin web@mydomain.org
> > DocumentRoot /var/www/virthosts/calendar
> > ServerName calendar.mydomain.org
> > Redirect / https://calendar.mydomain.org/
> >
> >
> >
> > ##
> > ## SSL Global Context
> > ##
> > ## All SSL configuration in this context applies
> > both to
> > ## the main server and all SSL-enabled virtual
> > hosts.
> > ##
> >
> > #
> > # Some MIME-types for downloading Certificates and
> > CRLs
> > #
> >
> > AddType application/x-x509-ca-cert .crt
> > AddType application/x-pkcs7-crl .crl
> >
> >
> >
> >
> > # Pass Phrase Dialog:
> > # Configure the pass phrase gathering process.
> > # The filtering dialog program (`builtin' is a
> > internal
> > # terminal dialog) has to provide the pass phrase
> > on stdout.
> > SSLPassPhraseDialog builtin
> >
> > # Inter-Process Session Cache:
> > # Configure the SSL Session Cache: First either
> > `none'
> > # or `dbm:/path/to/file' for the mechanism to use
> > and
> > # second the expiring timeout (in seconds).
> > SSLSessionCache dbm:logs/ssl_scache
> > SSLSessionCacheTimeout 300
> >
> > # Semaphore:
> > # Configure the path to the mutual exclusion
> > semaphore the
> > # SSL engine uses internally for inter-process
> > synchronization.
> > SSLMutex sem
> >
> > # Pseudo Random Number Generator (PRNG):
> > # Configure one or more sources to seed the PRNG
> > of the
> > # SSL library. The seed data should be of good
> > random quality.
> > SSLRandomSeed startup builtin
> > SSLRandomSeed connect builtin
> > #SSLRandomSeed startup file:/dev/random 512
> > #SSLRandomSeed startup file:/dev/urandom 512
> > #SSLRandomSeed connect file:/dev/random 512
> > #SSLRandomSeed connect file:/dev/urandom 512
> > SSLRandomSeed startup file:/dev/arandom 512
> >
> > # Logging:
> > # The home of the dedicated SSL protocol logfile.
> > Errors are
> > # additionally duplicated in the general error log
> > file. Put
> > # this somewhere where it cannot be used for
> > symlink attacks on
> > # a real server (i.e. somewhere where only root
> > can write).
> > # Log levels are (ascending order: higher ones
> > include lower ones):
> > # none, error, warn, info, trace, debug.
> > SSLLog logs/ssl_engine_log
> > SSLLogLevel info
> >
> >
> >
> >
> >
> > ##
> > ## SSL Virtual Host Context
> > ##
> >
> >
> > ServerAdmin web@mydomain.org
> > DocumentRoot /var/www/virthosts/mail
> > ServerName mail.mydomain.org
> > SSLEngine on
> > SSLCertificateFile /etc/ssl/webmail.crt
> > SSLCertificateKeyFile
> > /etc/ssl/private/webmail.key
> >
> > SSLRequireSsl
> >
> >
> >
> >
> > ServerAdmin web@mydomain.org
> > DocumentRoot /var/www/virthosts/calendar
> > ServerName calendar.mydomain.org
> > SSLEngine on
> > SSLCertificateFile /etc/ssl/calendar.crt
> > SSLCertificateKeyFile
> > /etc/ssl/private/calendar.key
> >
> > SSLRequireSsl
> >
> >
> > Order allow,deny
> > Allow from all
> >
> >
> > SetHandler perl-script
> > PerlHandler Apache::Registry
> > #PerlHandler Apache::PerlRun
> > Options ExecCGI
> > PerlSendHeader On
> >
> >
> > #
> >
> > # General setup for the virtual host
> > #DocumentRoot /var/www/htdocs
> > #ServerName new.host.name
> > #ServerAdmin you@your.address
> > #ErrorLog logs/error_log
> > #TransferLog logs/access_log
> >
> > # SSL Engine Switch:
> > # Enable/Disable SSL for this virtual host.
> > SSLEngine on
> >
> > # SSL Cipher Suite:
> > # List the ciphers that the client is permitted to
> > negotiate.
> > # See the mod_ssl documentation for a complete
> > list.
> > #SSLCipherSuite
> > ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> >
> > # Server Certificate:
> > # Point SSLCertificateFile at a PEM encoded
> > certificate. If
> > # the certificate is encrypted, then you will be
> > prompted for a
> > # pass phrase. Note that a kill -HUP will prompt
> > again. A test
> > # certificate can be generated with `make
> > certificate' under
> > # built time.
> > SSLCertificateFile /etc/ssl/server.crt
> >
> > # Server Private Key:
> > # If the key is not combined with the certificate,
> > use
> === message truncated ===
>
>
>
>
> ____________________________________________________
> Start your day with Yahoo! - make it your home page
> http://www.yahoo.com/r/hs
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org