Apache sends wrong certificate

Hi all,

This morning we migrated 4 of our websites to a new server. Each of
these websites uses a certificate for https connections. We've got only
one Apache instance running with 4 virtual hosts on 4 different
IP-addresses.

This worked fine on the old server. But since the move this morning
Apache sends the certificate for the first VirtualHost to all 4
IP-addresses. Two of these sites need an additional
SSLCertificateChainFile, and this file is send *correctly* depending on
the IP-address. So Apache does see 4 different VirtualHosts, but somehow
ignores the individual SSLCertificateFiles.

Here is the relevant part of httpd.conf for these 4 hosts:

-----
Listen xxx.xxx.198.62:443
NameVirtualHost xxx.xxx.198.62:443


SSLEngine On
SSLCertificateChainFile chain1
SSLCertificateFile crt1
SSLCertificateKeyFile key1


Listen xxx.xxx.198.61:443
NameVirtualHost xxx.xxx.198.61:443


SSLEngine On
SSLCertificateChainFile chain2
SSLCertificateFile crt2
SSLCertificateKeyFile key2


Listen xxx.xxx.198.63:443
NameVirtualHost xxx.xxx.198.63:443


SSLEngine On
SSLCertificateFile crt3
SSLCertificateKeyFile key3


Listen xxx.xxx.198.64:443
NameVirtualHost xxx.xxx.198.64:443


SSLEngine On
SSLCertificateFile crt4
SSLCertificateKeyFile key4

-----

The old server is still up and running. I've upgraded Apache on that
system to the same version (2.0.58) and copied httpd.conf to that
machine. The above configuration somehow works correctly there.

I've been trying to debug this using "openssl s_client -state -connect"
and I do see some relevant differences, but I've been unable to
interpret them.

I know this report lacks a lot of possibly relevant details. But I
didn't want to send the whole httpd.conf and all of the terminal output
to this list.

Is there an obvious mistake in my configuration? Or have I stumbled on a
bug in Apache 2.0.58?

Met groet,

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone: +31 (0)20 672 2308
Fax: +31 (0)20 672 2488

http://www.waxtrapp.com
frank.van.beek@waxtrapp.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache sends wrong certificate

Hi all,

Frank van Beek wrote:

> Hi all,
>
> This morning we migrated 4 of our websites to a new server. Each of
> these websites uses a certificate for https connections. We've got only
> one Apache instance running with 4 virtual hosts on 4 different
> IP-addresses.

Today we discovered the cause of our problems. Our new hosting provider
had invalid reverse DNS records:

---------
% dig -x xxx.xxx.198.61

<-- snip -->
;; ANSWER SECTION:
61.198.xxx.xxx.in-addr.arpa. 900 IN PTR .
<-- snip -->

---------

After they changed their DNS, all we had to do was restart Apache to
make it function correctly.

With many thanks to ssh on Mac OS X which reported: Nasty PTR record ""
is set up for xxx.xxx.198.61, ignoring.

That's what gave us a clue that it might be reverse DNS related.

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone: +31 (0)20 672 2308
Fax: +31 (0)20 672 2488

http://www.waxtrapp.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache sends wrong certificate

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



I'm sure this has been answered, but in case it has not;

You can not virtualize https to more then one hostsite, you have to have
real IP addresses for https.

Thanks,

Ron DuFresne

On Wed, 24 May 2006, Frank van Beek wrote:

> Hi all,
>
> This morning we migrated 4 of our websites to a new server. Each of these
> websites uses a certificate for https connections. We've got only one Apache
> instance running with 4 virtual hosts on 4 different IP-addresses.
>
> This worked fine on the old server. But since the move this morning Apache
> sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of
> these sites need an additional SSLCertificateChainFile, and this file is send
> *correctly* depending on the IP-address. So Apache does see 4 different
> VirtualHosts, but somehow ignores the individual SSLCertificateFiles.
>
> Here is the relevant part of httpd.conf for these 4 hosts:
>
> -----
> Listen xxx.xxx.198.62:443
> NameVirtualHost xxx.xxx.198.62:443
>
>
> SSLEngine On
> SSLCertificateChainFile chain1
> SSLCertificateFile crt1
> SSLCertificateKeyFile key1
>
>
> Listen xxx.xxx.198.61:443
> NameVirtualHost xxx.xxx.198.61:443
>
>
> SSLEngine On
> SSLCertificateChainFile chain2
> SSLCertificateFile crt2
> SSLCertificateKeyFile key2
>
>
> Listen xxx.xxx.198.63:443
> NameVirtualHost xxx.xxx.198.63:443
>
>
> SSLEngine On
> SSLCertificateFile crt3
> SSLCertificateKeyFile key3
>
>
> Listen xxx.xxx.198.64:443
> NameVirtualHost xxx.xxx.198.64:443
>
>
> SSLEngine On
> SSLCertificateFile crt4
> SSLCertificateKeyFile key4
>
> -----
>
> The old server is still up and running. I've upgraded Apache on that system
> to the same version (2.0.58) and copied httpd.conf to that machine. The above
> configuration somehow works correctly there.
>
> I've been trying to debug this using "openssl s_client -state -connect" and I
> do see some relevant differences, but I've been unable to interpret them.
>
> I know this report lacks a lot of possibly relevant details. But I didn't
> want to send the whole httpd.conf and all of the terminal output to this
> list.
>
> Is there an obvious mistake in my configuration? Or have I stumbled on a bug
> in Apache 2.0.58?
>
> Met groet,
>
> Frank.
>

- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

....We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCg w29G
ZcxkcdgHNKCofvRN3Hc5miA=
=BwdU
-----END PGP SIGNATURE-----
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache sends wrong certificate

Hi Ron,

R. DuFresne wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm sure this has been answered, but in case it has not;
>
> You can not virtualize https to more then one hostsite, you have to have
> real IP addresses for https.

Thanks for your reply.

I understand your confusion. In my post I masked out the first two
numbers of the IP-addresses.

But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned
out (see a previous post), our problem was caused by a misconfigured
reverse DNS.

Frank.

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone: +31 (0)20 672 2308
Fax: +31 (0)20 672 2488

http://www.waxtrapp.com

> Thanks,
>
> Ron DuFresne
>
> On Wed, 24 May 2006, Frank van Beek wrote:
>
>> Hi all,
>>
>> This morning we migrated 4 of our websites to a new server. Each of
>> these websites uses a certificate for https connections. We've got
>> only one Apache instance running with 4 virtual hosts on 4 different
>> IP-addresses.
>>
>> This worked fine on the old server. But since the move this morning
>> Apache sends the certificate for the first VirtualHost to all 4
>> IP-addresses. Two of these sites need an additional
>> SSLCertificateChainFile, and this file is send *correctly* depending
>> on the IP-address. So Apache does see 4 different VirtualHosts, but
>> somehow ignores the individual SSLCertificateFiles.
>>
>> Here is the relevant part of httpd.conf for these 4 hosts:
>>
>> -----
>> Listen xxx.xxx.198.62:443
>> NameVirtualHost xxx.xxx.198.62:443
>>
>>
>> SSLEngine On
>> SSLCertificateChainFile chain1
>> SSLCertificateFile crt1
>> SSLCertificateKeyFile key1
>>
>>
>> Listen xxx.xxx.198.61:443
>> NameVirtualHost xxx.xxx.198.61:443
>>
>>
>> SSLEngine On
>> SSLCertificateChainFile chain2
>> SSLCertificateFile crt2
>> SSLCertificateKeyFile key2
>>
>>
>> Listen xxx.xxx.198.63:443
>> NameVirtualHost xxx.xxx.198.63:443
>>
>>
>> SSLEngine On
>> SSLCertificateFile crt3
>> SSLCertificateKeyFile key3
>>
>>
>> Listen xxx.xxx.198.64:443
>> NameVirtualHost xxx.xxx.198.64:443
>>
>>
>> SSLEngine On
>> SSLCertificateFile crt4
>> SSLCertificateKeyFile key4
>>
>> -----
>>
>> The old server is still up and running. I've upgraded Apache on that
>> system to the same version (2.0.58) and copied httpd.conf to that
>> machine. The above configuration somehow works correctly there.
>>
>> I've been trying to debug this using "openssl s_client -state
>> -connect" and I do see some relevant differences, but I've been unable
>> to interpret them.
>>
>> I know this report lacks a lot of possibly relevant details. But I
>> didn't want to send the whole httpd.conf and all of the terminal
>> output to this list.
>>
>> Is there an obvious mistake in my configuration? Or have I stumbled on
>> a bug in Apache 2.0.58?
>>
>> Met groet,
>>
>> Frank.
>>
>
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>
> ...We waste time looking for the perfect lover
> instead of creating the perfect love.
>
> -Tom Robbins
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCg w29G
> ZcxkcdgHNKCofvRN3Hc5miA=
> =BwdU
> -----END PGP SIGNATURE-----
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache sends wrong certificate

------=_Part_8757_616293.1148989448198
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 5/30/06, Frank van Beek wrote:
>
> I understand your confusion. In my post I masked out the first two
> numbers of the IP-addresses.
> But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned
> out (see a previous post), our problem was caused by a misconfigured
> reverse DNS.



I'm glad you figured it out, but it's still a little bit unclear to me why
the DNS should have had any effect.

The NameVirtualHost directives in the config snippet you posted are
extraneous and should be removed. I wonder if you'd gotten rid of those if
the problem would have gone away regardless of DNS.

Hmm...

--Cliff

------=_Part_8757_616293.1148989448198
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Re: Apache sends wrong certificate

Hey Cliff,

Cliff Woolley wrote:
>
> On 5/30/06, *Frank van Beek* wrote:
>
> I understand your confusion. In my post I masked out the first two
> numbers of the IP-addresses.
> But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned
> out (see a previous post), our problem was caused by a misconfigured
> reverse DNS.
>
>
>
> I'm glad you figured it out, but it's still a little bit unclear to me
> why the DNS should have had any effect.
>
> The NameVirtualHost directives in the config snippet you posted are
> extraneous and should be removed. I wonder if you'd gotten rid of those
> if the problem would have gone away regardless of DNS.

I checked a couple of pages on VirtualHosts in the Apache documentation.
As far as I can see in the examples in most of them there a
NameVirtualHost for every VirtualHost, even when it's running on a
different port.

See the examples here:

http://httpd.apache.org/docs/2.0/vhosts/examples.html

I don't know enough about Apache configuration to know when you need
both, so could you please explain me why in our configuration the
NameVirtualHost directives are extraneous?


Met groet,

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone: +31 (0)20 672 2308
Fax: +31 (0)20 672 2488

http://www.waxtrapp.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache sends wrong certificate

------=_Part_20752_25328990.1149025994429
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 5/30/06, Frank van Beek wrote:
>
> I checked a couple of pages on VirtualHosts in the Apache documentation.
> As far as I can see in the examples in most of them there a
> NameVirtualHost for every VirtualHost, even when it's running on a
> different port.
>
> See the examples here:
>
> http://httpd.apache.org/docs/2.0/vhosts/examples.html
>

All of the examples on that page that use NameVirtualHost are actually
*doing* name-based virtual hosting, which is where you have multiple virtual
hosts with the same IP/port combination (thus the only thing that
distinguishes them is their name, as given in the Host: HTTP header).

You're doing IP-based virtual hosting, not named-based virtual hosting.
(You only have one virtual host per IP/port combination.) Thus you don't
need NameVirtualHost. If you scroll down in the page you gave, you'll see
an example of IP-based virtual hosting, and note that it does *not* include
any NameVirtualHost directives.

Hope this helps,
--Cliff

------=_Part_20752_25328990.1149025994429
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Re: Apache sends wrong certificate

Hi Cliff,

Cliff Woolley wrote:

> You're doing IP-based virtual hosting, not named-based virtual hosting.
> (You only have one virtual host per IP/port combination.) Thus you
> don't need NameVirtualHost. If you scroll down in the page you gave,
> you'll see an example of IP-based virtual hosting, and note that it does
> *not* include any NameVirtualHost directives.
>
> Hope this helps,

Thanks for the explanation. I *think* I understand the difference now. :)

The next time we add a new IP-address I'll check if Apache ignores
invalid DNS PTR records if I remove the NameVirtualHost. This might take
a while though before this happens.

I'll report my findings back to this list for documentation purposes.


Met groet,

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone: +31 (0)20 672 2308
Fax: +31 (0)20 672 2488

http://www.waxtrapp.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org