2 VirtualHosts with 2 Certificates

This is a multi-part message in MIME format.

------=_NextPart_000_0008_01C2B750.456DDDD0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

i have the apache configured with 2 VirtualHosts on port 443.
both VirtualServers have separately CertificateFiles and
CertificateKeyFiles.
but now if i connect to the VirtualHost2, the Host have the Certificate
from the VirtualServer1!
both Hosts have now the same Certificate.

my httpd.config:

....
NameVirtualHost 92.35.28.17:443


ServerName domain1.com
ServerAlias www.domain1.com
DocumentRoot "/web1/"
SSLEngine on
SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert
SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key



ServerName domain2.com
ServerAlias www.domain2.com
DocumentRoot "/web2/"
SSLEngine on
SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert
SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key

....


------=_NextPart_000_0008_01C2B750.456DDDD0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">


charset=3Dus-ascii">











style=3D'tab-interval:35.4pt'>

Re: 2 VirtualHosts with 2 Certificates

On Wed, Jan 08, 2003 at 07:58:10PM +0100, toxshark wrote:
> i have the apache configured with 2 VirtualHosts on port 443.
> both VirtualServers have separately CertificateFiles and
> CertificateKeyFiles.
> but now if i connect to the VirtualHost2, the Host have the Certificate
> from the VirtualServer1!
> both Hosts have now the same Certificate.
>
A classical FAQ - http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
you need different ip's or different ports.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 2 VirtualHosts with 2 Certificates

Per all the documentation and countless examples in the archives of=20
this mail list, you must either use two different IPs or use different=20=

ports. You *cannot* used Named Virtual Hosts for SSL. Period.

-dsp

On Wednesday, Jan 8, 2003, at 13:58 US/Eastern, toxshark wrote:

> ihave the apache configured with 2 VirtualHosts on port 443.
>
> bothVirtualServers have separately CertificateFiles and=20
> CertificateKeyFiles.
>
> butnow if i connect to the VirtualHost2, the Host have the Certificate=20=

> from the VirtualServer1!
>
> bothHosts have now the same Certificate.
>
> =A0
>
> myhttpd.config:
>
> =A0
>
> ...
>
> NameVirtualHost92.35.28.17:443
>
> =A0
>
>
>
> ServerNamedomain1.com
>
> ServerAliaswww.domain1.com
>
> DocumentRoot"/web1/"
>
> SSLEngineon
>
> SSLCertificateFile/usr/local/etc/apache/key/ssl1.cert
>
> SSLCertificateKeyFile/usr/local/etc/apache/key/ssl1.key
>
>
>
> =A0
>
>
>
> ServerNamedomain2.com
>
> ServerAliaswww.domain2.com
>
> DocumentRoot"/web2/"
>
> SSLEngineon
>
> SSLCertificateFile/usr/local/etc/apache/key/ssl2.cert
>
> SSLCertificateKeyFile/usr/local/etc/apache/key/ssl2.key
>
>
>
> ...
>
> =A0
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 2 VirtualHosts with 2 Certificates

Should have read the MOST FREQUENTLY ASKED FREQUENTLY ASKED QUESTIONS!!!

Can't do that. Learn a little more about SSL. It's IP based, not name
based. So, you can only have
one certificate and one firtual host on 92.35.28.17:443. Sorry...but
that's the way it goes.

Same question answer number four billion six hundred seventeen million
two hundred thirty-four thousand nine hunderd twenty-four!

;)

JDB

toxshark wrote:

> i have the apache configured with 2 VirtualHosts on port 443.
>
> both VirtualServers have separately CertificateFiles and
> CertificateKeyFiles.
>
> but now if i connect to the VirtualHost2, the Host have the
> Certificate from the VirtualServer1!
>
> both Hosts have now the same Certificate.
>
>
>
> my httpd.config:
>
>
>
> ...
>
> NameVirtualHost 92.35.28.17:443
>
>
>
>
>
> ServerName domain1.com
>
> ServerAlias www.domain1.com
>
> DocumentRoot "/web1/"
>
> SSLEngine on
>
> SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert
>
> SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key
>
>
>
>
>
>
>
> ServerName domain2.com
>
> ServerAlias www.domain2.com
>
> DocumentRoot "/web2/"
>
> SSLEngine on
>
> SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert
>
> SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key
>
>
>
> ...
>
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 2 VirtualHosts with 2 Certificates

Everyone knows this question will not stop coming... is it possible to
return an error message to the user when restarting apache? Only a
suggestion.... =)

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of James Barwick
Sent: Wednesday, January 08, 2003 4:30 PM
To: modssl-users@modssl.org
Subject: Re: 2 VirtualHosts with 2 Certificates

Should have read the MOST FREQUENTLY ASKED FREQUENTLY ASKED QUESTIONS!!!

Can't do that. Learn a little more about SSL. It's IP based, not name
based. So, you can only have
one certificate and one firtual host on 92.35.28.17:443. Sorry...but
that's the way it goes.

Same question answer number four billion six hundred seventeen million
two hundred thirty-four thousand nine hunderd twenty-four!

;)

JDB

toxshark wrote:

> i have the apache configured with 2 VirtualHosts on port 443.
>
> both VirtualServers have separately CertificateFiles and
> CertificateKeyFiles.
>
> but now if i connect to the VirtualHost2, the Host have the
> Certificate from the VirtualServer1!
>
> both Hosts have now the same Certificate.
>
>
>
> my httpd.config:
>
>
>
> ...
>
> NameVirtualHost 92.35.28.17:443
>
>
>
>
>
> ServerName domain1.com
>
> ServerAlias www.domain1.com
>
> DocumentRoot "/web1/"
>
> SSLEngine on
>
> SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert
>
> SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key
>
>
>
>
>
>
>
> ServerName domain2.com
>
> ServerAlias www.domain2.com
>
> DocumentRoot "/web2/"
>
> SSLEngine on
>
> SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert
>
> SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key
>
>
>
> ...
>
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 2 VirtualHosts with 2 Certificates

>-----Original Message-----
>From: Irving Carrion [mailto:icarrion@allinterior.com]
>Sent: Donnerstag, 9. Januar 2003 15:42
>To: modssl-users@modssl.org
>Subject: RE: 2 VirtualHosts with 2 Certificates
>
>
>Everyone knows this question will not stop coming... is it possible to
>return an error message to the user when restarting apache?

The trouble is that it is not really an error.

- mod_ssl asks apache for the certificate pertaining to the virtual host
defined by the request's TCP/IP attributes (IP and port).
- Apache uses its standard ruleset (namely: if you have several VHs on
the same IP/port, use the first one) to get the cert.
- mod_ssl receives the cert and happily does the SSL negotiation.

There is nothing illegal in a config which attempts NBVH with SSL VHs so
it is difficult to spot the "error".

>Only a
>suggestion.... =)
>
>-----Original Message-----
>From: owner-modssl-users@modssl.org
>[mailto:owner-modssl-users@modssl.org] On Behalf Of James Barwick
>Sent: Wednesday, January 08, 2003 4:30 PM
>To: modssl-users@modssl.org
>Subject: Re: 2 VirtualHosts with 2 Certificates
>
>Should have read the MOST FREQUENTLY ASKED FREQUENTLY ASKED
>QUESTIONS!!!
>
>Can't do that. Learn a little more about SSL. It's IP based,
>not name
>based. So, you can only have
>one certificate and one firtual host on 92.35.28.17:443. Sorry...but
>that's the way it goes.
>
>Same question answer number four billion six hundred seventeen million
>two hundred thirty-four thousand nine hunderd twenty-four!
>
>;)
>
>JDB
>
>toxshark wrote:
>
>> i have the apache configured with 2 VirtualHosts on port 443.
>>
>> both VirtualServers have separately CertificateFiles and
>> CertificateKeyFiles.
>>
>> but now if i connect to the VirtualHost2, the Host have the
>> Certificate from the VirtualServer1!
>>
>> both Hosts have now the same Certificate.
>>
>>
>>
>> my httpd.config:
>>
>>
>>
>> ...
>>
>> NameVirtualHost 92.35.28.17:443
>>
>>
>>
>>
>>
>> ServerName domain1.com
>>
>> ServerAlias www.domain1.com
>>
>> DocumentRoot "/web1/"
>>
>> SSLEngine on
>>
>> SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert
>>
>> SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key
>>
>>
>>
>>
>>
>>
>>
>> ServerName domain2.com
>>
>> ServerAlias www.domain2.com
>>
>> DocumentRoot "/web2/"
>>
>> SSLEngine on
>>
>> SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert
>>
>> SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key
>>
>>
>>
>> ...
>>
>>
>>
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

Irving Carrion wrote:
> Everyone knows this question will not stop coming... is it possible to
> return an error message to the user when restarting apache? Only a
> suggestion.... =)
Please DON'T do this.

Confession time. I actually have a use for NBVHs with SSL, and I'd
prefer not to have it broken gratuitously.

I run a site whose members collaborate using a number of Web-based
tools. All members are issued with client certificates signed by our
private CA, and I have a single instance of Apache+mod-ssl with a single
IP address acting as an SSL-only reverse-proxy for these tools.

Some parts of the site have varying authorisation policy rules, and some
of the proxied tools assume that they own the root of the site and can't
cope with explicit ports in URLs. For these reasons, it is convenient
to split the site into multiple NBVHs.

These NBVHs are all derived off the same 3rd-level domain, and thus we
can use the same wildcard certificate for each NBVH (users whose
browsers don't recognise wildcard certificates need only placate the
browser once in most cases).

This set-up has been working for over two years now, but I do
occasionally have wakeful nights wondering if someone will break this
counter-documented capability.

I realise I am on thin ice as it would be a "reasonable" optimisation to
assign the final virtual host at an earlier stage than is currently the
case with SSL.

Am I on my own here?
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org] On Behalf Of James Barwick
> Sent: Wednesday, January 08, 2003 4:30 PM
> To: modssl-users@modssl.org
> Subject: Re: 2 VirtualHosts with 2 Certificates
>
> Should have read the MOST FREQUENTLY ASKED FREQUENTLY ASKED QUESTIONS!!!
>
> Can't do that. Learn a little more about SSL. It's IP based, not name
> based. So, you can only have
> one certificate and one firtual host on 92.35.28.17:443. Sorry...but
> that's the way it goes.
>
> Same question answer number four billion six hundred seventeen million
> two hundred thirty-four thousand nine hunderd twenty-four!
>
> ;)
>
> JDB
>
> toxshark wrote:
>
>
>>i have the apache configured with 2 VirtualHosts on port 443.
>>
>>both VirtualServers have separately CertificateFiles and
>>CertificateKeyFiles.
>>
>>but now if i connect to the VirtualHost2, the Host have the
>>Certificate from the VirtualServer1!
>>
>>both Hosts have now the same Certificate.
>>
>>
>>
>>my httpd.config:
>>
>>
>>
>>...
>>
>>NameVirtualHost 92.35.28.17:443
>>
>>
>>
>>
>>
>>ServerName domain1.com
>>
>>ServerAlias www.domain1.com
>>
>>DocumentRoot "/web1/"
>>
>>SSLEngine on
>>
>>SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert
>>
>>SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key
>>
>>
>>
>>
>>
>>
>>
>>ServerName domain2.com
>>
>>ServerAlias www.domain2.com
>>
>>DocumentRoot "/web2/"
>>
>>SSLEngine on
>>
>>SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert
>>
>>SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key
>>
>>
>>
>>...
>>
>>
>>
>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

>These NBVHs are all derived off the same 3rd-level domain, and thus we
>can use the same wildcard certificate for each NBVH (users whose
>browsers don't recognise wildcard certificates need only placate the
>browser once in most cases).

o.k...you have my attention now...
wildcard certificate?
Can wildcard certificates be purchased, or is this only if you are self
signing?

I sure would like to buy one certificate, and have all my subdomains on
my main domain recognize it without a warning window popping up for
internet customers...

https://arhosting.com
https://www.arhosting.com
https://secure.arhosting.com
https://www.secure.arhosting.com

I would like to cover all of my bases with one certificate...
Is this possible?




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

I believe you can get wildcard certs from Thwate. Check out their site.
NB - wildcards are like *.acme.com so www1.acme.com, www2.acme.com etc
all work. You cannot get *.*.com to work in any case.

Rgds,
Owen Boyle

>-----Original Message-----
>From: Barry Smoke [mailto:barry@arhosting.com]
>Sent: Montag, 13. Januar 2003 04:23
>To: modssl-users@modssl.org
>Subject: RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts
>with 2 Certificates)
>
>
>>These NBVHs are all derived off the same 3rd-level domain,
>and thus we
>>can use the same wildcard certificate for each NBVH (users whose
>>browsers don't recognise wildcard certificates need only placate the
>>browser once in most cases).
>
>o.k...you have my attention now...
>wildcard certificate?
>Can wildcard certificates be purchased, or is this only if you are self
>signing?
>
>I sure would like to buy one certificate, and have all my subdomains on
>my main domain recognize it without a warning window popping up for
>internet customers...
>
>https://arhosting.com
>https://www.arhosting.com
>https://secure.arhosting.com
>https://www.secure.arhosting.com
>
>I would like to cover all of my bases with one certificate...
>Is this possible?
>
>
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

On Sun, Jan 12, 2003 at 09:23:27PM -0600, Barry Smoke wrote:
> o.k...you have my attention now...
> wildcard certificate?
> Can wildcard certificates be purchased, or is this only if you are self
> signing?
>
According to Thawte's website they still issue wildcard certs.

> I sure would like to buy one certificate, and have all my subdomains on
> my main domain recognize it without a warning window popping up for
> internet customers...
>
YMMV - some versions of MSIE does not accept wildcard certs because M$
decided to stop doing that for a couple of releases.

> https://arhosting.com
> https://www.arhosting.com
> https://secure.arhosting.com
> https://www.secure.arhosting.com
>
> I would like to cover all of my bases with one certificate...
> Is this possible?
>
*arhosting.com should probably do it.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

>-----Original Message-----
>From: James Collier [mailto:james.collier@xtra.co.nz]
>
>I realise I am on thin ice as it would be a "reasonable"
>optimisation to assign the final virtual host at an earlier
>stage than is currently the case with SSL.

I wouldn't worry too much. Currently, in an SSL transaction, *all*
information is regarded as requiring encryption - including the Host
header in the original request. So the SSL session has to be established
before any traffic takes place. Anything different (e.g. putting the
host header in the SSL layer) would be a major revision of the protocol.
One of two things will happen first:

- IPv6 will take off, creating so many IP addresses that NBVH will be
unnecessary and we will revert to one site, one IP.
- A new SSL-like protocol will appear which promotes the site name to
the SSL layer thus enabling NBVH.

Either way, you'll need substantially to upgrade and reconfigure your
server so you'll be well aware of the changes.

Rgds,

Owen Boyle

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with2 Certificates)

Sorry - I didn't express that very well, but thanks for the reply.

At the moment, the handshake take place using the first matching vhost
on the basis of IP+Port, but evidently Apache then scans the decrypted
host header and assigns the correct NBVH. This is using 1.3.x; I haven't
tested 2.x yet.

My fear is that future apache+modssl code may lock-in the first NBVH
that matches on the basis of IP+Port, which would break my scheme.

Regards,
James.

PS For those of you who were wondering, we use a private CA to issue the
wildcard server cert. As someone has already noted, Thawte advertise
them as well.

Boyle Owen wrote:
>>-----Original Message-----
>>From: James Collier [mailto:james.collier@xtra.co.nz]
>>
>>I realise I am on thin ice as it would be a "reasonable"
>>optimisation to assign the final virtual host at an earlier
>>stage than is currently the case with SSL.
^^^
I meant "apache+modssl"
>
>
> I wouldn't worry too much. Currently, in an SSL transaction, *all*
> information is regarded as requiring encryption - including the Host
> header in the original request. So the SSL session has to be established
> before any traffic takes place. Anything different (e.g. putting the
> host header in the SSL layer) would be a major revision of the protocol.
> One of two things will happen first:
>
> - IPv6 will take off, creating so many IP addresses that NBVH will be
> unnecessary and we will revert to one site, one IP.
> - A new SSL-like protocol will appear which promotes the site name to
> the SSL layer thus enabling NBVH.
>
> Either way, you'll need substantially to upgrade and reconfigure your
> server so you'll be well aware of the changes.
>
> Rgds,
>
> Owen Boyle
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the sender urgently
> and then immediately delete the message and any copies of it from your
> system. Please also immediately destroy any hardcopies of the message.
> You must not, directly or indirectly, use, disclose, distribute, print,
> or copy any part of this message if you are not the intended recipient.
> The sender's company reserves the right to monitor all e-mail
> communications through their networks. Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of the sender's company.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

>-----Original Message-----
>From: James Collier [mailto:james.collier@xtra.co.nz]
>
>At the moment, the handshake take place using the first matching vhost=20
>on the basis of IP+Port, but evidently Apache then scans the decrypted=20
>host header and assigns the correct NBVH.=20

Exactly. The SSL transaction is handled by mod_ssl. The apache core is =
only used initially to deliver a certificate to the SSL Engine. As you =
rightly say, given only an IP address and port number, it simply =
responds with the first cert it finds in a matching VH. Having obtained =
a cert, mod_ssl establishes the SSL channel with the browser - =
thereafter, the requests are decrypted and passed "en clair" to the =
apache core. So now apache can apply its NBVH algorithm happily.=20

>This is using 1.3.x; I haven't tested 2.x yet.

It will be the same. This is a feature of the HTTPS layer and is =
unaffected by what happens in the apache core, which is under HTTPS.

>My fear is that future apache+modssl code may lock-in the first NBVH=20
>that matches on the basis of IP+Port, which would break my scheme.

Not likely. Each request is allowed to contain its own "Host" header. So =
there is no reason why the server should override it. In any case, there =
is no mechanism for the server to "remember" that subsequent requests =
from a particular client were originally served from a certain VH. HTTPS =
is an additional onion-layer which entirely encapsulates HTTP so there =
should be no spillover from one to the other.

Rgds,

Owen Boyle

>
> Regards,
> James.
>
>PS For those of you who were wondering, we use a private CA to=20
>issue the=20
>wildcard server cert. As someone has already noted, Thawte advertise=20
>them as well.
>
>Boyle Owen wrote:
>>>-----Original Message-----
>>>From: James Collier [mailto:james.collier@xtra.co.nz]
>>>
>>>I realise I am on thin ice as it would be a "reasonable"=20
>>>optimisation to assign the final virtual host at an earlier=20
>>>stage than is currently the case with SSL.
> ^^^
> I meant "apache+modssl"
>>=20
>>=20
>> I wouldn't worry too much. Currently, in an SSL transaction, *all*
>> information is regarded as requiring encryption - including the Host
>> header in the original request. So the SSL session has to be=20
>established
>> before any traffic takes place. Anything different (e.g. putting the
>> host header in the SSL layer) would be a major revision of=20
>the protocol.
>> One of two things will happen first:
>>=20
>> - IPv6 will take off, creating so many IP addresses that NBVH will be
>> unnecessary and we will revert to one site, one IP.
>> - A new SSL-like protocol will appear which promotes the site name to
>> the SSL layer thus enabling NBVH.
>>=20
>> Either way, you'll need substantially to upgrade and reconfigure your
>> server so you'll be well aware of the changes.
>>=20
>> Rgds,
>>=20
>> Owen Boyle
>>=20
>> This message is for the named person's use only. It may contain
>> confidential, proprietary or legally privileged information. No
>> confidentiality or privilege is waived or lost by any=20
>mistransmission.
>> If you receive this message in error, please notify the=20
>sender urgently
>> and then immediately delete the message and any copies of it=20
>from your
>> system. Please also immediately destroy any hardcopies of=20
>the message.
>> You must not, directly or indirectly, use, disclose,=20
>distribute, print,
>> or copy any part of this message if you are not the intended=20
>recipient.
>> The sender's company reserves the right to monitor all e-mail
>> communications through their networks. Any views expressed in this
>> message are those of the individual sender, except where the message
>> states otherwise and the sender is authorised to state them to be the
>> views of the sender's company.=20
>>=20
>___________________________________________________________ ___________
>> Apache Interface to OpenSSL (mod_ssl) =20
www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

"Boyle Owen" writes:
> - IPv6 will take off, creating so many IP addresses that NBVH will be
> unnecessary and we will revert to one site, one IP.
There is already a document describing how to do this with SSL/TLS
in the IETF standards pipeline.

-Ekr

--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

On Mon, Jan 13, 2003 at 07:32:24AM -0800, Eric Rescorla wrote:
> There is already a document describing how to do this with SSL/TLS
> in the IETF standards pipeline.
>
Unfortunately this is not implemented very many places - so far the only
place I've heard of is Apache 2.1 which has some preliminary and untested
code for it. If anyone knows of a compliant client, then that would be
much appreciated.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

Mads Toftum writes:

> On Mon, Jan 13, 2003 at 07:32:24AM -0800, Eric Rescorla wrote:
> > There is already a document describing how to do this with SSL/TLS
> > in the IETF standards pipeline.
> >
> Unfortunately this is not implemented very many places - so far the only
> place I've heard of is Apache 2.1 which has some preliminary and untested
> code for it. If anyone knows of a compliant client, then that would be
> much appreciated.
I don't.

Moreover even if there were it will be like 2-3 years before it's
sufficiently widespread that you can count on it.

-Ekr

--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with2 Certificates)

Many thanks Owen - I'll sleep more easily now ;)

Boyle Owen wrote:
>>-----Original Message-----
>>From: James Collier [mailto:james.collier@xtra.co.nz]
>>
>>At the moment, the handshake take place using the first matching vhost
>>on the basis of IP+Port, but evidently Apache then scans the decrypted
>>host header and assigns the correct NBVH.
>
>
> Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used initially to deliver a certificate to the SSL Engine. As you rightly say, given only an IP address and port number, it simply responds with the first cert it finds in a matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the browser - thereafter, the requests are decrypted and passed "en clair" to the apache core. So now apache can apply its NBVH algorithm happily.
>
>
>>This is using 1.3.x; I haven't tested 2.x yet.
>
>
> It will be the same. This is a feature of the HTTPS layer and is unaffected by what happens in the apache core, which is under HTTPS.
>
>
>>My fear is that future apache+modssl code may lock-in the first NBVH
>>that matches on the basis of IP+Port, which would break my scheme.
>
>
> Not likely. Each request is allowed to contain its own "Host" header. So there is no reason why the server should override it. In any case, there is no mechanism for the server to "remember" that subsequent requests from a particular client were originally served from a certain VH. HTTPS is an additional onion-layer which entirely encapsulates HTTP so there should be no spillover from one to the other.
>
> Rgds,
>
> Owen Boyle
>
>
>> Regards,
>> James.
>>
>>PS For those of you who were wondering, we use a private CA to
>>issue the
>>wildcard server cert. As someone has already noted, Thawte advertise
>>them as well.
>>
>>Boyle Owen wrote:
>>
>>>>-----Original Message-----
>>>>From: James Collier [mailto:james.collier@xtra.co.nz]
>>>>
>>>>I realise I am on thin ice as it would be a "reasonable"
>>>>optimisation to assign the final virtual host at an earlier
>>>>stage than is currently the case with SSL.
>>>
>> ^^^
>> I meant "apache+modssl"
>>
>>>
>>>I wouldn't worry too much. Currently, in an SSL transaction, *all*
>>>information is regarded as requiring encryption - including the Host
>>>header in the original request. So the SSL session has to be
>>
>>established
>>
>>>before any traffic takes place. Anything different (e.g. putting the
>>>host header in the SSL layer) would be a major revision of
>>
>>the protocol.
>>
>>>One of two things will happen first:
>>>
>>>- IPv6 will take off, creating so many IP addresses that NBVH will be
>>>unnecessary and we will revert to one site, one IP.
>>>- A new SSL-like protocol will appear which promotes the site name to
>>>the SSL layer thus enabling NBVH.
>>>
>>>Either way, you'll need substantially to upgrade and reconfigure your
>>>server so you'll be well aware of the changes.
>>>
>>>Rgds,
>>>
>>>Owen Boyle
>>>
>>>This message is for the named person's use only. It may contain
>>>confidential, proprietary or legally privileged information. No
>>>confidentiality or privilege is waived or lost by any
>>
>>mistransmission.
>>
>>>If you receive this message in error, please notify the
>>
>>sender urgently
>>
>>>and then immediately delete the message and any copies of it
>>
>>from your
>
>>>system. Please also immediately destroy any hardcopies of
>>
>>the message.
>>
>>>You must not, directly or indirectly, use, disclose,
>>
>>distribute, print,
>>
>>>or copy any part of this message if you are not the intended
>>
>>recipient.
>>
>>>The sender's company reserves the right to monitor all e-mail
>>>communications through their networks. Any views expressed in this
>>>message are those of the individual sender, except where the message
>>>states otherwise and the sender is authorised to state them to be the
>>>views of the sender's company.
>>>
>>
>>__________________________________________________________ ____________
>>
>>>Apache Interface to OpenSSL (mod_ssl)
>>
> www.modssl.org
>
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

QXJlIHRoZXJlIGFueSBkb2NzIGZvciBzZXR0aW5nIHRoaXMgdXA/DQoNCnRo YW5rcw0KUm9iZXJ0
DQotLS0tLSBPcmlnaW5hbCBNZXNzYWdlIC0tLS0tIA0KRnJvbTogIkphbWVz IENvbGxpZXIiIDxq
YW1lcy5jb2xsaWVyQHh0cmEuY28ubno+DQpUbzogPG1vZHNzbC11c2Vyc0Bt b2Rzc2wub3JnPg0K
U2VudDogTW9uZGF5LCBKYW51YXJ5IDEzLCAyMDAzIDEyOjI5IFBNDQpTdWJq ZWN0OiBSZTogQ29u
ZmVzc2lvbjogSSB1c2UgTkJWSHMgd2l0aCBTU0wgKHdhcyBSZTogMiBWaXJ0 dWFsSG9zdHMgd2l0
aCAyIENlcnRpZmljYXRlcykNCg0KDQo+IE1hbnkgdGhhbmtzIE93ZW4gLSBJ J2xsIHNsZWVwIG1v
cmUgZWFzaWx5IG5vdyA7KQ0KPiANCj4gQm95bGUgT3dlbiB3cm90ZToNCj4g Pj4tLS0tLU9yaWdp
bmFsIE1lc3NhZ2UtLS0tLQ0KPiA+PkZyb206IEphbWVzIENvbGxpZXIgW21h aWx0bzpqYW1lcy5j
b2xsaWVyQHh0cmEuY28ubnpdDQo+ID4+DQo+ID4+QXQgdGhlIG1vbWVudCwg dGhlIGhhbmRzaGFr
ZSB0YWtlIHBsYWNlIHVzaW5nIHRoZSBmaXJzdCBtYXRjaGluZyB2aG9zdCAN Cj4gPj5vbiB0aGUg
YmFzaXMgb2YgSVArUG9ydCwgYnV0IGV2aWRlbnRseSBBcGFjaGUgdGhlbiBz Y2FucyB0aGUgZGVj
cnlwdGVkIA0KPiA+Pmhvc3QgaGVhZGVyIGFuZCBhc3NpZ25zIHRoZSBjb3Jy ZWN0IE5CVkguIA0K
PiA+IA0KPiA+IA0KPiA+IEV4YWN0bHkuIFRoZSBTU0wgdHJhbnNhY3Rpb24g aXMgaGFuZGxlZCBi
eSBtb2Rfc3NsLiBUaGUgYXBhY2hlIGNvcmUgaXMgb25seSB1c2VkIGluaXRp YWxseSB0byBkZWxp
dmVyIGEgY2VydGlmaWNhdGUgdG8gdGhlIFNTTCBFbmdpbmUuIEFzIHlvdSBy aWdodGx5IHNheSwg
Z2l2ZW4gb25seSBhbiBJUCBhZGRyZXNzIGFuZCBwb3J0IG51bWJlciwgaXQg c2ltcGx5IHJlc3Bv
bmRzIHdpdGggdGhlIGZpcnN0IGNlcnQgaXQgZmluZHMgaW4gYSBtYXRjaGlu ZyBWSC4gSGF2aW5n
IG9idGFpbmVkIGEgY2VydCwgbW9kX3NzbCBlc3RhYmxpc2hlcyB0aGUgU1NM IGNoYW5uZWwgd2l0
aCB0aGUgYnJvd3NlciAtIHRoZXJlYWZ0ZXIsIHRoZSByZXF1ZXN0cyBhcmUg ZGVjcnlwdGVkIGFu
ZCBwYXNzZWQgImVuIGNsYWlyIiB0byB0aGUgYXBhY2hlIGNvcmUuIFNvIG5v dyBhcGFjaGUgY2Fu
IGFwcGx5IGl0cyBOQlZIIGFsZ29yaXRobSBoYXBwaWx5LiANCj4gPiANCj4g PiANCj4gPj5UaGlz
IGlzIHVzaW5nIDEuMy54OyBJIGhhdmVuJ3QgdGVzdGVkIDIueCB5ZXQuDQo+ ID4gDQo+ID4gDQo+
ID4gSXQgd2lsbCBiZSB0aGUgc2FtZS4gVGhpcyBpcyBhIGZlYXR1cmUgb2Yg dGhlIEhUVFBTIGxh
eWVyIGFuZCBpcyB1bmFmZmVjdGVkIGJ5IHdoYXQgaGFwcGVucyBpbiB0aGUg YXBhY2hlIGNvcmUs
IHdoaWNoIGlzIHVuZGVyIEhUVFBTLg0KPiA+IA0KPiA+IA0KPiA+Pk15IGZl YXIgaXMgdGhhdCBm
dXR1cmUgYXBhY2hlK21vZHNzbCBjb2RlIG1heSBsb2NrLWluIHRoZSBmaXJz dCBOQlZIIA0KPiA+
PnRoYXQgbWF0Y2hlcyBvbiB0aGUgYmFzaXMgb2YgSVArUG9ydCwgd2hpY2gg d291bGQgYnJlYWsg
bXkgc2NoZW1lLg0KPiA+IA0KPiA+IA0KPiA+IE5vdCBsaWtlbHkuIEVhY2gg cmVxdWVzdCBpcyBh
bGxvd2VkIHRvIGNvbnRhaW4gaXRzIG93biAiSG9zdCIgaGVhZGVyLiBTbyB0 aGVyZSBpcyBubyBy
ZWFzb24gd2h5IHRoZSBzZXJ2ZXIgc2hvdWxkIG92ZXJyaWRlIGl0LiBJbiBh bnkgY2FzZSwgdGhl
cmUgaXMgbm8gbWVjaGFuaXNtIGZvciB0aGUgc2VydmVyIHRvICJyZW1lbWJl ciIgdGhhdCBzdWJz
ZXF1ZW50IHJlcXVlc3RzIGZyb20gYSBwYXJ0aWN1bGFyIGNsaWVudCB3ZXJl IG9yaWdpbmFsbHkg
c2VydmVkIGZyb20gYSBjZXJ0YWluIFZILiBIVFRQUyBpcyBhbiBhZGRpdGlv bmFsIG9uaW9uLWxh
eWVyIHdoaWNoIGVudGlyZWx5IGVuY2Fwc3VsYXRlcyBIVFRQIHNvIHRoZXJl IHNob3VsZCBiZSBu
byBzcGlsbG92ZXIgZnJvbSBvbmUgdG8gdGhlIG90aGVyLg0KPiA+IA0KPiA+ IFJnZHMsDQo+ID4g
DQo+ID4gT3dlbiBCb3lsZQ0KPiA+IA0KPiA+IA0KPiA+PiAgUmVnYXJkcywN Cj4gPj4gICAgIEph
bWVzLg0KPiA+Pg0KPiA+PlBTIEZvciB0aG9zZSBvZiB5b3Ugd2hvIHdlcmUg d29uZGVyaW5nLCB3
ZSB1c2UgYSBwcml2YXRlIENBIHRvIA0KPiA+Pmlzc3VlIHRoZSANCj4gPj53 aWxkY2FyZCBzZXJ2
ZXIgY2VydC4gIEFzIHNvbWVvbmUgaGFzIGFscmVhZHkgbm90ZWQsIFRoYXd0 ZSBhZHZlcnRpc2Ug
DQo+ID4+dGhlbSBhcyB3ZWxsLg0KPiA+Pg0KPiA+PkJveWxlIE93ZW4gd3Jv dGU6DQo+ID4+DQo+
ID4+Pj4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+Pj4+RnJvbTog SmFtZXMgQ29sbGll
ciBbbWFpbHRvOmphbWVzLmNvbGxpZXJAeHRyYS5jby5uel0NCj4gPj4+Pg0K PiA+Pj4+SSByZWFs
aXNlIEkgYW0gb24gdGhpbiBpY2UgYXMgaXQgd291bGQgYmUgYSAicmVhc29u YWJsZSIgDQo+ID4+
Pj5vcHRpbWlzYXRpb24gdG8gYXNzaWduIHRoZSBmaW5hbCB2aXJ0dWFsIGhv c3QgYXQgYW4gZWFy
bGllciANCj4gPj4+PnN0YWdlIHRoYW4gaXMgY3VycmVudGx5IHRoZSBjYXNl IHdpdGggU1NMLg0K
PiA+Pj4NCj4gPj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgXl5eDQo+
ID4+ICAgICAgICAgICAgICAgICAgICAgICAgICAgIEkgbWVhbnQgImFwYWNo ZSttb2Rzc2wiDQo+
ID4+DQo+ID4+Pg0KPiA+Pj5JIHdvdWxkbid0IHdvcnJ5IHRvbyBtdWNoLiBD dXJyZW50bHksIGlu
IGFuIFNTTCB0cmFuc2FjdGlvbiwgKmFsbCoNCj4gPj4+aW5mb3JtYXRpb24g aXMgcmVnYXJkZWQg
YXMgcmVxdWlyaW5nIGVuY3J5cHRpb24gLSBpbmNsdWRpbmcgdGhlIEhvc3QN Cj4gPj4+aGVhZGVy
IGluIHRoZSBvcmlnaW5hbCByZXF1ZXN0LiBTbyB0aGUgU1NMIHNlc3Npb24g aGFzIHRvIGJlIA0K
PiA+Pg0KPiA+PmVzdGFibGlzaGVkDQo+ID4+DQo+ID4+PmJlZm9yZSBhbnkg dHJhZmZpYyB0YWtl
cyBwbGFjZS4gQW55dGhpbmcgZGlmZmVyZW50IChlLmcuIHB1dHRpbmcgdGhl DQo+ID4+Pmhvc3Qg
aGVhZGVyIGluIHRoZSBTU0wgbGF5ZXIpIHdvdWxkIGJlIGEgbWFqb3IgcmV2 aXNpb24gb2YgDQo+
ID4+DQo+ID4+dGhlIHByb3RvY29sLg0KPiA+Pg0KPiA+Pj5PbmUgb2YgdHdv IHRoaW5ncyB3aWxs
IGhhcHBlbiBmaXJzdDoNCj4gPj4+DQo+ID4+Pi0gSVB2NiB3aWxsIHRha2Ug b2ZmLCBjcmVhdGlu
ZyBzbyBtYW55IElQIGFkZHJlc3NlcyB0aGF0IE5CVkggd2lsbCBiZQ0KPiA+ Pj51bm5lY2Vzc2Fy
eSBhbmQgd2Ugd2lsbCByZXZlcnQgdG8gb25lIHNpdGUsIG9uZSBJUC4NCj4g Pj4+LSBBIG5ldyBT
U0wtbGlrZSBwcm90b2NvbCB3aWxsIGFwcGVhciB3aGljaCBwcm9tb3RlcyB0 aGUgc2l0ZSBuYW1l
IHRvDQo+ID4+PnRoZSBTU0wgbGF5ZXIgdGh1cyBlbmFibGluZyBOQlZILg0K PiA+Pj4NCj4gPj4+
RWl0aGVyIHdheSwgeW91J2xsIG5lZWQgc3Vic3RhbnRpYWxseSB0byB1cGdy YWRlIGFuZCByZWNv
bmZpZ3VyZSB5b3VyDQo+ID4+PnNlcnZlciBzbyB5b3UnbGwgYmUgd2VsbCBh d2FyZSBvZiB0aGUg
Y2hhbmdlcy4NCj4gPj4+DQo+ID4+PlJnZHMsDQo+ID4+Pg0KPiA+Pj5Pd2Vu IEJveWxlDQo+ID4+
Pg0KPiA+Pj5UaGlzIG1lc3NhZ2UgaXMgZm9yIHRoZSBuYW1lZCBwZXJzb24n cyB1c2Ugb25seS4g
SXQgbWF5IGNvbnRhaW4NCj4gPj4+Y29uZmlkZW50aWFsLCBwcm9wcmlldGFy eSBvciBsZWdhbGx5
IHByaXZpbGVnZWQgaW5mb3JtYXRpb24uIE5vDQo+ID4+PmNvbmZpZGVudGlh bGl0eSBvciBwcml2
aWxlZ2UgaXMgd2FpdmVkIG9yIGxvc3QgYnkgYW55IA0KPiA+Pg0KPiA+Pm1p c3RyYW5zbWlzc2lv
bi4NCj4gPj4NCj4gPj4+SWYgeW91IHJlY2VpdmUgdGhpcyBtZXNzYWdlIGlu IGVycm9yLCBwbGVh
c2Ugbm90aWZ5IHRoZSANCj4gPj4NCj4gPj5zZW5kZXIgdXJnZW50bHkNCj4g Pj4NCj4gPj4+YW5k
IHRoZW4gaW1tZWRpYXRlbHkgZGVsZXRlIHRoZSBtZXNzYWdlIGFuZCBhbnkg Y29waWVzIG9mIGl0
IA0KPiA+Pg0KPiA+PmZyb20geW91cg0KPiA+IA0KPiA+Pj5zeXN0ZW0uIFBs ZWFzZSBhbHNvIGlt
bWVkaWF0ZWx5IGRlc3Ryb3kgYW55IGhhcmRjb3BpZXMgb2YgDQo+ID4+DQo+ ID4+dGhlIG1lc3Nh
Z2UuDQo+ID4+DQo+ID4+PllvdSBtdXN0IG5vdCwgZGlyZWN0bHkgb3IgaW5k aXJlY3RseSwgdXNl
LCBkaXNjbG9zZSwgDQo+ID4+DQo+ID4+ZGlzdHJpYnV0ZSwgcHJpbnQsDQo+ ID4+DQo+ID4+Pm9y
IGNvcHkgYW55IHBhcnQgb2YgdGhpcyBtZXNzYWdlIGlmIHlvdSBhcmUgbm90 IHRoZSBpbnRlbmRl
ZCANCj4gPj4NCj4gPj5yZWNpcGllbnQuDQo+ID4+DQo+ID4+PlRoZSBzZW5k ZXIncyBjb21wYW55
IHJlc2VydmVzIHRoZSByaWdodCB0byBtb25pdG9yIGFsbCBlLW1haWwNCj4g Pj4+Y29tbXVuaWNh
dGlvbnMgdGhyb3VnaCB0aGVpciBuZXR3b3Jrcy4gQW55IHZpZXdzIGV4cHJl c3NlZCBpbiB0aGlz
DQo+ID4+Pm1lc3NhZ2UgYXJlIHRob3NlIG9mIHRoZSBpbmRpdmlkdWFsIHNl bmRlciwgZXhjZXB0
IHdoZXJlIHRoZSBtZXNzYWdlDQo+ID4+PnN0YXRlcyBvdGhlcndpc2UgYW5k IHRoZSBzZW5kZXIg
aXMgYXV0aG9yaXNlZCB0byBzdGF0ZSB0aGVtIHRvIGJlIHRoZQ0KPiA+Pj52 aWV3cyBvZiB0aGUg
c2VuZGVyJ3MgY29tcGFueS4gDQo+ID4+Pg0KPiA+Pg0KPiA+Pl9fX19fX19f X19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX18NCj4gPj4N
Cj4gPj4+QXBhY2hlIEludGVyZmFjZSB0byBPcGVuU1NMIChtb2Rfc3NsKSAg ICAgICAgICAgICAg
ICAgICANCj4gPj4NCj4gPiB3d3cubW9kc3NsLm9yZw0KPiA+IA0KPiA+PlVz ZXIgU3VwcG9ydCBN
YWlsaW5nIExpc3QgICAgICAgICAgICAgICAgICAgICAgbW9kc3NsLXVzZXJz QG1vZHNzbC5vcmcN
Cj4gPj5BdXRvbWF0ZWQgTGlzdCBNYW5hZ2VyICAgICAgICAgICAgICAgICAg ICAgICAgICAgIG1h
am9yZG9tb0Btb2Rzc2wub3JnDQo+ID4gDQo+ID4gDQo+ID4gDQo+ID4gX19f X19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXw0K
PiA+IEFwYWNoZSBJbnRlcmZhY2UgdG8gT3BlblNTTCAobW9kX3NzbCkgICAg ICAgICAgICAgICAg
ICAgd3d3Lm1vZHNzbC5vcmcNCj4gPiBVc2VyIFN1cHBvcnQgTWFpbGluZyBM aXN0ICAgICAgICAg
ICAgICAgICAgICAgIG1vZHNzbC11c2Vyc0Btb2Rzc2wub3JnDQo+ID4gQXV0 b21hdGVkIExpc3Qg
TWFuYWdlciAgICAgICAgICAgICAgICAgICAgICAgICAgICBtYWpvcmRvbW9A bW9kc3NsLm9yZw0K
PiA+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19f
X19fX19fX19fX19fX19fX18NCj4gPiBBcGFjaGUgSW50ZXJmYWNlIHRvIE9w ZW5TU0wgKG1vZF9z
c2wpICAgICAgICAgICAgICAgICAgIHd3dy5tb2Rzc2wub3JnDQo+ID4gVXNl ciBTdXBwb3J0IE1h
aWxpbmcgTGlzdCAgICAgICAgICAgICAgICAgICAgICBtb2Rzc2wtdXNlcnNA bW9kc3NsLm9yZw0K
PiA+IEF1dG9tYXRlZCBMaXN0IE1hbmFnZXIgICAgICAgICAgICAgICAgICAg ICAgICAgICAgbWFq
b3Jkb21vQG1vZHNzbC5vcmcNCj4gDQo+IA0KPiBfX19fX19fX19fX19fX19f X19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+ IEFwYWNoZSBJbnRl
cmZhY2UgdG8gT3BlblNTTCAobW9kX3NzbCkgICAgICAgICAgICAgICAgICAg d3d3Lm1vZHNzbC5v
cmcNCj4gVXNlciBTdXBwb3J0IE1haWxpbmcgTGlzdCAgICAgICAgICAgICAg ICAgICAgICBtb2Rz
c2wtdXNlcnNAbW9kc3NsLm9yZw0KPiBBdXRvbWF0ZWQgTGlzdCBNYW5hZ2Vy ICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIG1ham9yZG9tb0Btb2Rzc2wub3Jn

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with2 Certificates)

robert@rdcss.com wrote:
> Are there any docs for setting this up?
Not as such - I cooked the site up as a one-off, with the feeling that
much of it came under the dirty hack classification (particularly as
almost every mod-ssl document contains wording to the effect of "Don't
ever ever ever under any circumstances try to use NBVHs with mod-ssl")

There's nothing particularly innovative or devious here - and I'm in the
rare position of working with a smallish closed user group whose members
are willing and competent to do some basic browser certificate management.

But I suppose if people feel this set-up is legitimate, useful and
non-trivial I ought to make time to write up a quick How-to and/or an
expurgated config file. Is there a suitable Apache cookbook where such
recipes are collected?

Regards,
James.

>
> thanks
> Robert
> ----- Original Message -----
> From: "James Collier"
> To:
> Sent: Monday, January 13, 2003 12:29 PM
> Subject: Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
>
>
>
>>Many thanks Owen - I'll sleep more easily now ;)
>>
>>Boyle Owen wrote:
>>
>>>>-----Original Message-----
>>>>From: James Collier [mailto:james.collier@xtra.co.nz]
>>>>
>>>>At the moment, the handshake take place using the first matching vhost
>>>>on the basis of IP+Port, but evidently Apache then scans the decrypted
>>>>host header and assigns the correct NBVH.
>>>
>>>
>>>Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used initially to deliver a certificate to the SSL Engine. As you rightly say, given only an IP address and port number, it simply responds with the first cert it finds in a matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the browser - thereafter, the requests are decrypted and passed "en clair" to the apache core. So now apache can apply its NBVH algorithm happily.
>>>
>>>
>>>
>>>>This is using 1.3.x; I haven't tested 2.x yet.
>>>
>>>
>>>It will be the same. This is a feature of the HTTPS layer and is unaffected by what happens in the apache core, which is under HTTPS.
>>>
>>>
>>>
>>>>My fear is that future apache+modssl code may lock-in the first NBVH
>>>>that matches on the basis of IP+Port, which would break my scheme.
>>>
>>>
>>>Not likely. Each request is allowed to contain its own "Host" header. So there is no reason why the server should override it. In any case, there is no mechanism for the server to "remember" that subsequent requests from a particular client were originally served from a certain VH. HTTPS is an additional onion-layer which entirely encapsulates HTTP so there should be no spillover from one to the other.
>>>
>>>Rgds,
>>>
>>>Owen Boyle
>>>
>>>
>>>
>>>> Regards,
>>>> James.
>>>>
>>>>PS For those of you who were wondering, we use a private CA to
>>>>issue the
>>>>wildcard server cert. As someone has already noted, Thawte advertise
>>>>them as well.
>>>>
>>>>Boyle Owen wrote:
>>>>
>>>>
>>>>>>-----Original Message-----
>>>>>>From: James Collier [mailto:james.collier@xtra.co.nz]
>>>>>>
>>>>>>I realise I am on thin ice as it would be a "reasonable"
>>>>>>optimisation to assign the final virtual host at an earlier
>>>>>>stage than is currently the case with SSL.
>>>>>
>>>> ^^^
>>>> I meant "apache+modssl"
>>>>
>>>>
>>>>>I wouldn't worry too much. Currently, in an SSL transaction, *all*
>>>>>information is regarded as requiring encryption - including the Host
>>>>>header in the original request. So the SSL session has to be
>>>>
>>>>established
>>>>
>>>>
>>>>>before any traffic takes place. Anything different (e.g. putting the
>>>>>host header in the SSL layer) would be a major revision of
>>>>
>>>>the protocol.
>>>>
>>>>
>>>>>One of two things will happen first:
>>>>>
>>>>>- IPv6 will take off, creating so many IP addresses that NBVH will be
>>>>>unnecessary and we will revert to one site, one IP.
>>>>>- A new SSL-like protocol will appear which promotes the site name to
>>>>>the SSL layer thus enabling NBVH.
>>>>>
>>>>>Either way, you'll need substantially to upgrade and reconfigure your
>>>>>server so you'll be well aware of the changes.
>>>>>
>>>>>Rgds,
>>>>>
>>>>>Owen Boyle
>>>>>
>>>>>This message is for the named person's use only. It may contain
>>>>>confidential, proprietary or legally privileged information. No
>>>>>confidentiality or privilege is waived or lost by any
>>>>
>>>>mistransmission.
>>>>
>>>>
>>>>>If you receive this message in error, please notify the
>>>>
>>>>sender urgently
>>>>
>>>>
>>>>>and then immediately delete the message and any copies of it
>>>>
>>>>from your
>>>
>>>
>>>>>system. Please also immediately destroy any hardcopies of
>>>>
>>>>the message.
>>>>
>>>>
>>>>>You must not, directly or indirectly, use, disclose,
>>>>
>>>>distribute, print,
>>>>
>>>>
>>>>>or copy any part of this message if you are not the intended
>>>>
>>>>recipient.
>>>>
>>>>
>>>>>The sender's company reserves the right to monitor all e-mail
>>>>>communications through their networks. Any views expressed in this
>>>>>message are those of the individual sender, except where the message
>>>>>states otherwise and the sender is authorised to state them to be the
>>>>>views of the sender's company.
>>>>>
>>>>
>>>>________________________________________________________ ______________
>>>>
>>>>
>>>>>Apache Interface to OpenSSL (mod_ssl)
>>>>
>>>www.modssl.org
>>>
>>>
>>>>User Support Mailing List modssl-users@modssl.org
>>>>Automated List Manager majordomo@modssl.org
>>>
>>>
>>>
>>>_________________________________________________________ _____________
>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>User Support Mailing List modssl-users@modssl.org
>>>Automated List Manager majordomo@modssl.org
>>>_________________________________________________________ _____________
>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>User Support Mailing List modssl-users@modssl.org
>>>Automated List Manager majordomo@modssl.org
>>
>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org–œ…â'µêßiÇ­ ê^$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´ Ƨj«™¨è­Ú&¢j²Éh
>
> rg==


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

On Tue, Jan 14, 2003 at 11:06:56PM +1300, James Collier wrote:
> robert@rdcss.com wrote:
> >Are there any docs for setting this up?

It isn't any different than setting up with seperate certs, just use the
same cert in each vhost.

> Not as such - I cooked the site up as a one-off, with the feeling that
> much of it came under the dirty hack classification (particularly as
> almost every mod-ssl document contains wording to the effect of "Don't
> ever ever ever under any circumstances try to use NBVHs with mod-ssl")
>
One problem being that it isn't fully supported by all browsers, and that
some people might argue that this is less secure. AFAICT only thawte sells
wildcard certs.

> There's nothing particularly innovative or devious here - and I'm in the
> rare position of working with a smallish closed user group whose members
> are willing and competent to do some basic browser certificate management.
>
> But I suppose if people feel this set-up is legitimate, useful and
> non-trivial I ought to make time to write up a quick How-to and/or an
> expurgated config file. Is there a suitable Apache cookbook where such
> recipes are collected?
>
The documentation would be the obvious place IMHO - see
http://httpd.apache.org/docs-project/ - if you get the time to write
something, I can probably be convinced to commit it for the 2.x docs.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org