SSL with multiple domains on same server

Hello.

I'm trying to set up Apache with SSL on Windows 2000.

It is working but I have some troubles with the certificates.

If my Apache server is server.mydomain.com and I want to have two
websites with HTTPS. The SSL is well enabled and works fine.

It is what I did :

* openssl req -config openssl.cnf -new -out -website1.csr

-> then I put "website1.mydomain.com" as common name

* openssl rsa -in privkey.pem -out website1.key

* openssl x509 -in website1.csr -out website1.cert -req -signkey website1.key -days 365

-> To have a temporary signed key

Then, I did all these operation a second time for the website2.
(with "website2.mydomain.com" as common name for the second .csr)

At he end, I have these files :

- website1.cert
- website1.key
- website2.cert
- website2.key

In httpd.conf I set up both sites :


SSLEngine On
SSLCertificateFile ssl/website1.cert
SSLCertificateKeyFile ssl/website1.key



SSLEngine On
SSLCertificateFile ssl/website2.cert
SSLCertificateKeyFile ssl/website2.key


website1 and website2 has different IP address

And then, my problem apears.

In my browser, I can go two both sites with SSL, but both takes the
same certificate... Why ? Is there a mismatch between name of the
server and names of the websites ?

--
Best regards,
Ludovic
ludovic.perard@victor-buck.com


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL with multiple domains on same server

You are trying to run two name based VHs under SSL. You cannot do this
(see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47).

The problem is that SSL encapsulates HTTP so the SSL session has to be
negotiated before any HTTP traffic can be seen. But the hostname is in
the HTTP request, so apache cannot decide which VH to use - so it uses
the first by default.

You need to use separate IPs and/or ports...

Rgds,
Owen Boyle

>-----Original Message-----
>From: Ludovic Perard [mailto:ludovic.perard@victor-buck.com]
>Sent: Mittwoch, 20. November 2002 15:25
>To: modssl-users@modssl.org
>Subject: SSL with multiple domains on same server
>
>
>Hello.
>
> I'm trying to set up Apache with SSL on Windows 2000.
>
> It is working but I have some troubles with the certificates.
>
> If my Apache server is server.mydomain.com and I want to have two
> websites with HTTPS. The SSL is well enabled and works fine.
>
> It is what I did :
>
> * openssl req -config openssl.cnf -new -out -website1.csr
>
> -> then I put "website1.mydomain.com" as common name
>
> * openssl rsa -in privkey.pem -out website1.key
>
> * openssl x509 -in website1.csr -out website1.cert -req
>-signkey website1.key -days 365
>
> -> To have a temporary signed key
>
> Then, I did all these operation a second time for the website2.
> (with "website2.mydomain.com" as common name for the second .csr)
>
> At he end, I have these files :
>
> - website1.cert
> - website1.key
> - website2.cert
> - website2.key
>
> In httpd.conf I set up both sites :
>
>
> SSLEngine On
> SSLCertificateFile ssl/website1.cert
> SSLCertificateKeyFile ssl/website1.key
>
>
>
> SSLEngine On
> SSLCertificateFile ssl/website2.cert
> SSLCertificateKeyFile ssl/website2.key
>
>
> website1 and website2 has different IP address
>
> And then, my problem apears.
>
> In my browser, I can go two both sites with SSL, but both takes the
> same certificate... Why ? Is there a mismatch between name of the
> server and names of the websites ?
>
>--
>Best regards,
> Ludovic
> ludovic.perard@victor-buck.com
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re[2]: SSL with multiple domains on same server

Hello Boyle,

Wednesday, November 20, 2002, 3:33:00 PM, you wrote:

BO> You are trying to run two name based VHs under SSL. You cannot do this
BO> (see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47).

BO> The problem is that SSL encapsulates HTTP so the SSL session has to be
BO> negotiated before any HTTP traffic can be seen. But the hostname is in
BO> the HTTP request, so apache cannot decide which VH to use - so it uses
BO> the first by default.

BO> You need to use separate IPs and/or ports...

I'm already using two different IP addresses


--
Best regards,
Ludovic
ludovic.perard@victor-buck.com


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Re[2]: SSL with multiple domains on same server

>-----Original Message-----
>From: Ludovic Perard [mailto:ludovic.perard@victor-buck.com]
>
>I'm already using two different IP addresses
>

Then it should work. Are you sure?

Try defining the IP addresses explicity to reveal any DNS
misconfigurations:

Listen 192.168.1.1:443

....
Listen 192.168.1.2:443

....

Rgds,

Owen Boyle

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL with multiple domains on same server

Try using IP based virtual host and not name based

lp, K


Wednesday, November 20, 2002, 3:25:01 PM, you wrote:

LP> Hello.

LP> I'm trying to set up Apache with SSL on Windows 2000.

LP> It is working but I have some troubles with the certificates.

LP> If my Apache server is server.mydomain.com and I want to have two
LP> websites with HTTPS. The SSL is well enabled and works fine.

LP> It is what I did :

LP> * openssl req -config openssl.cnf -new -out -website1.csr

LP> -> then I put "website1.mydomain.com" as common name

LP> * openssl rsa -in privkey.pem -out website1.key

LP> * openssl x509 -in website1.csr -out website1.cert -req -signkey website1.key -days 365

LP> -> To have a temporary signed key

LP> Then, I did all these operation a second time for the website2.
LP> (with "website2.mydomain.com" as common name for the second .csr)

LP> At he end, I have these files :

LP> - website1.cert
LP> - website1.key
LP> - website2.cert
LP> - website2.key

LP> In httpd.conf I set up both sites :

LP>
LP> SSLEngine On
LP> SSLCertificateFile ssl/website1.cert
LP> SSLCertificateKeyFile ssl/website1.key
LP>

LP>
LP> SSLEngine On
LP> SSLCertificateFile ssl/website2.cert
LP> SSLCertificateKeyFile ssl/website2.key
LP>

LP> website1 and website2 has different IP address

LP> And then, my problem apears.

LP> In my browser, I can go two both sites with SSL, but both takes the
LP> same certificate... Why ? Is there a mismatch between name of the
LP> server and names of the websites ?



--
Kristijan mailto:kristijan@rip-computer.si


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Re[2]: SSL with multiple domains on same server

are you saying i can use the same ip and two different port to be able to have more than one vhs under ssl?
----- Original Message -----
From: "Ludovic Perard"
To: "Boyle Owen"
Sent: Wednesday, November 20, 2002 8:47 AM
Subject: Re[2]: SSL with multiple domains on same server


> Hello Boyle,
>
> Wednesday, November 20, 2002, 3:33:00 PM, you wrote:
>
> BO> You are trying to run two name based VHs under SSL. You cannot do this
> BO> (see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47).
>
> BO> The problem is that SSL encapsulates HTTP so the SSL session has to be
> BO> negotiated before any HTTP traffic can be seen. But the hostname is in
> BO> the HTTP request, so apache cannot decide which VH to use - so it uses
> BO> the first by default.
>
> BO> You need to use separate IPs and/or ports...
>
> I'm already using two different IP addresses
>
>
> --
> Best regards,
> Ludovic
> ludovic.perard@victor-buck.com
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Re[2]: SSL with multiple domains on same server

>-----Original Message-----
>From: robert@rdcss.com [mailto:robert@rdcss.com]
>
>are you saying i can use the same ip and two different port to
>be able to have more than one vhs under ssl?

Certainly. e.g.

Listen 192.168.1.1:443

...etc

Listen 192.168.1.1:444

...etc

The rule is: SSL VHs must be distinct at TCP/IP level (i.e. ip addr and
port pair must be distinct).

Rgds,

Owen Boyle

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re[4]: SSL with multiple domains on same server

Hello Boyle,

Wednesday, November 20, 2002, 4:14:45 PM, you wrote:

>>-----Original Message-----
>>From: Ludovic Perard [mailto:ludovic.perard@victor-buck.com]
>>
>>I'm already using two different IP addresses
>>

BO> Then it should work. Are you sure?

BO> Try defining the IP addresses explicity to reveal any DNS
BO> misconfigurations:

BO> Listen 192.168.1.1:443
BO>
BO> ...
BO> Listen 192.168.1.2:443
BO>
BO> ...

I tried with your manner and it doesn't change anything...

All sites take the same certificate... :/

Can the problem comes from the IP. We are using network adresse
translation and all IP on the web server are 172.x.x.x, so, I tried
with :



but no success.

--
Best regards,
Ludovic
ludovic.perard@victor-buck.com


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org