Multiple SSL VirtualHosts in apache

Multiple SSL VirtualHosts in apache

am 06.02.2003 02:01:36 von Steve Pirk

I check the mail archives, but could not find a good
answer for this "problem" I am having.

I am building out a dev environment using apache
on Solaris. The dev environment needs to run under
SSL (to simulate the production environment). I am
starting with 4 virtual servers. They all use the
same cert file, but are on different ports.

The problem I am running into is that only the "first"
VirtualHost works. Requests to subsequent ports result
in a mod_ssl:error:HTTP-request error. Here is the error_log
entry:

[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP
spoken on HTTPS port; trying to send HTML error page (OpenSSL library
error follows)
[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS
port!?]

This is being used in conjunction with an auth package,
but the redirect after logging in is https://

Does anyone knnow of a good way to have multiple
SSL virtual servers on one apache instance?

Here is a sample of httpd.conf. In this case, port 7000
works, but 7001 and 7002 get the mod_ssl error.


DocumentRoot /some/doc/root
SSLEngine on
SSLCertificateFile /usr/local/apache/certs/my_cert.crt
SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key



DocumentRoot /some/doc/root
SSLEngine on
SSLCertificateFile /usr/local/apache/certs/my_cert.crt
SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key



DocumentRoot /some/doc/root
SSLEngine on
SSLCertificateFile /usr/local/apache/certs/my_cert.crt
SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key


--
Steve (egrep)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 19.02.2003 11:42:34 von Boyle Owen

>-----Original Message-----
>From: Steve Pirk [mailto:orion@deathcon.com]
>Sent: Donnerstag, 6. Februar 2003 02:02
>To: modssl-users@modssl.org
>Subject: Multiple SSL VirtualHosts in apache
>
>
>I check the mail archives, but could not find a good
>answer for this "problem" I am having.
>
>I am building out a dev environment using apache
>on Solaris. The dev environment needs to run under
>SSL (to simulate the production environment). I am
>starting with 4 virtual servers. They all use the
>same cert file, but are on different ports.
>
>The problem I am running into is that only the "first"
>VirtualHost works. Requests to subsequent ports result
>in a mod_ssl:error:HTTP-request error. Here is the error_log
>entry:
>
>[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP
>spoken on HTTPS port; trying to send HTML error page (OpenSSL library
>error follows)

This looks like you typed http://server:7001/ into the browser. You
still need to define https even if you have the port number, i.e.
https://server:7001/.

Can you confirm that if you do this, you still get an error?

Rgds,
Owen Boyle


>[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
>routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
>HTTP to HTTPS
>port!?]
>
>This is being used in conjunction with an auth package,
>but the redirect after logging in is https://
>
>Does anyone knnow of a good way to have multiple
>SSL virtual servers on one apache instance?

The way you are doing it is fine. You just have a probelm...

>
>Here is a sample of httpd.conf. In this case, port 7000
>works, but 7001 and 7002 get the mod_ssl error.
>
>
> DocumentRoot /some/doc/root
> SSLEngine on
> SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>

>
>
> DocumentRoot /some/doc/root
> SSLEngine on
> SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>

>
>
> DocumentRoot /some/doc/root
> SSLEngine on
> SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>

>
>--
>Steve (egrep)
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Multiple SSL VirtualHosts in apache

am 19.02.2003 16:19:36 von dufresne

The error you posted from logs implies the request the server is getting
is http rather then https, perhaps your redirect or rewrite is not
functioning properly?

Thanks,

Ron DuFresne

On Wed, 5 Feb 2003, Steve Pirk wrote:

> I check the mail archives, but could not find a good
> answer for this "problem" I am having.
>
> I am building out a dev environment using apache
> on Solaris. The dev environment needs to run under
> SSL (to simulate the production environment). I am
> starting with 4 virtual servers. They all use the
> same cert file, but are on different ports.
>
> The problem I am running into is that only the "first"
> VirtualHost works. Requests to subsequent ports result
> in a mod_ssl:error:HTTP-request error. Here is the error_log
> entry:
>
> [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP
> spoken on HTTPS port; trying to send HTML error page (OpenSSL library
> error follows)
> [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
> routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS
> port!?]
>
> This is being used in conjunction with an auth package,
> but the redirect after logging in is https://
>
> Does anyone knnow of a good way to have multiple
> SSL virtual servers on one apache instance?
>
> Here is a sample of httpd.conf. In this case, port 7000
> works, but 7001 and 7002 get the mod_ssl error.
>
>
> DocumentRoot /some/doc/root
> SSLEngine on
> SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>

>
>
> DocumentRoot /some/doc/root
> SSLEngine on
> SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>

>
>
> DocumentRoot /some/doc/root
> SSLEngine on
> SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>

>
> --
> Steve (egrep)
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Multiple SSL VirtualHosts in apache

am 19.02.2003 16:26:45 von Cliff Woolley

On Wed, 5 Feb 2003, Steve Pirk wrote:

> They all use the same cert file, but are on different ports.

I'm not so sure you can do that. But anyway, assuming for a second that
you can:

> The problem I am running into is that only the "first"
> VirtualHost works. Requests to subsequent ports result
> in a mod_ssl:error:HTTP-request error. Here is the error_log
> entry:

Interesting. What version of Apache is this? If 1.3.x, what version of
mod_ssl? The mod_ssl:error:HTTP-request thing is supposed to be purely
internal; if it ever leaks out to the client, something is screwed up. I
found some odd cases a while back where you could set up redirections in
an odd way and it would do that, but I've forgotten the details and would
have to dig them up. What redirects are you doing? Any rewriterules?

--Cliff

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 19.02.2003 18:02:01 von Ian Moon

I believe that I read somewhere that you must have a different
ip address for each ssl virtualhost.

Ian Moon

On Wed, 19 Feb 2003, Boyle Owen wrote:

> >-----Original Message-----
> >From: Steve Pirk [mailto:orion@deathcon.com]
> >Sent: Donnerstag, 6. Februar 2003 02:02
> >To: modssl-users@modssl.org
> >Subject: Multiple SSL VirtualHosts in apache
> >
> >
> >I check the mail archives, but could not find a good
> >answer for this "problem" I am having.
> >
> >I am building out a dev environment using apache
> >on Solaris. The dev environment needs to run under
> >SSL (to simulate the production environment). I am
> >starting with 4 virtual servers. They all use the
> >same cert file, but are on different ports.
> >
> >The problem I am running into is that only the "first"
> >VirtualHost works. Requests to subsequent ports result
> >in a mod_ssl:error:HTTP-request error. Here is the error_log
> >entry:
> >
> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP
> >spoken on HTTPS port; trying to send HTML error page (OpenSSL library
> >error follows)
>
> This looks like you typed http://server:7001/ into the browser. You
> still need to define https even if you have the port number, i.e.
> https://server:7001/.
>
> Can you confirm that if you do this, you still get an error?
>
> Rgds,
> Owen Boyle
>
>
> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
> >HTTP to HTTPS
> >port!?]
> >
> >This is being used in conjunction with an auth package,
> >but the redirect after logging in is https://
> >
> >Does anyone knnow of a good way to have multiple
> >SSL virtual servers on one apache instance?
>
> The way you are doing it is fine. You just have a probelm...
>
> >
> >Here is a sample of httpd.conf. In this case, port 7000
> >works, but 7001 and 7002 get the mod_ssl error.
> >
> >
> > DocumentRoot /some/doc/root
> > SSLEngine on
> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >

> >
> >
> > DocumentRoot /some/doc/root
> > SSLEngine on
> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >

> >
> >
> > DocumentRoot /some/doc/root
> > SSLEngine on
> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >

> >
> >--
> >Steve (egrep)
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the sender urgently
> and then immediately delete the message and any copies of it from your
> system. Please also immediately destroy any hardcopies of the message.
> You must not, directly or indirectly, use, disclose, distribute, print,
> or copy any part of this message if you are not the intended recipient.
> The sender's company reserves the right to monitor all e-mail
> communications through their networks. Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of the sender's company.
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 19.02.2003 19:29:54 von jacks

Please excuse the top post:

Ian or anyone, are you sure that a wildcard setup won't work....??? Just
getting ready to do a fresh install involvoing vhosts and this will become
an important issue.

Thanks!

At 10:02 AM 2.19.2003 -0700, Ian Moon wrote:
>I believe that I read somewhere that you must have a different
>ip address for each ssl virtualhost.
>
>Ian Moon
>
>On Wed, 19 Feb 2003, Boyle Owen wrote:
>
>> >-----Original Message-----
>> >From: Steve Pirk [mailto:orion@deathcon.com]
>> >Sent: Donnerstag, 6. Februar 2003 02:02
>> >To: modssl-users@modssl.org
>> >Subject: Multiple SSL VirtualHosts in apache
>> >
>> >
>> >I check the mail archives, but could not find a good
>> >answer for this "problem" I am having.
>> >
>> >I am building out a dev environment using apache
>> >on Solaris. The dev environment needs to run under
>> >SSL (to simulate the production environment). I am
>> >starting with 4 virtual servers. They all use the
>> >same cert file, but are on different ports.
>> >
>> >The problem I am running into is that only the "first"
>> >VirtualHost works. Requests to subsequent ports result
>> >in a mod_ssl:error:HTTP-request error. Here is the error_log
>> >entry:
>> >
>> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP
>> >spoken on HTTPS port; trying to send HTML error page (OpenSSL library
>> >error follows)
>>
>> This looks like you typed http://server:7001/ into the browser. You
>> still need to define https even if you have the port number, i.e.
>> https://server:7001/.
>>
>> Can you confirm that if you do this, you still get an error?
>>
>> Rgds,
>> Owen Boyle
>>
>>
>> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
>> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
>> >HTTP to HTTPS
>> >port!?]
>> >
>> >This is being used in conjunction with an auth package,
>> >but the redirect after logging in is https://
>> >
>> >Does anyone knnow of a good way to have multiple
>> >SSL virtual servers on one apache instance?
>>
>> The way you are doing it is fine. You just have a probelm...
>>
>> >
>> >Here is a sample of httpd.conf. In this case, port 7000
>> >works, but 7001 and 7002 get the mod_ssl error.
>> >
>> >
>> > DocumentRoot /some/doc/root
>> > SSLEngine on
>> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>> >

>> >
>> >
>> > DocumentRoot /some/doc/root
>> > SSLEngine on
>> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>> >

>> >
>> >
>> > DocumentRoot /some/doc/root
>> > SSLEngine on
>> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>> >

>> >
>> >--
>> >Steve (egrep)
>> >___________________________________________________________ ___________
>> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> >User Support Mailing List modssl-users@modssl.org
>> >Automated List Manager majordomo@modssl.org
>> >
>>
>> This message is for the named person's use only. It may contain
>> confidential, proprietary or legally privileged information. No
>> confidentiality or privilege is waived or lost by any mistransmission.
>> If you receive this message in error, please notify the sender urgently
>> and then immediately delete the message and any copies of it from your
>> system. Please also immediately destroy any hardcopies of the message.
>> You must not, directly or indirectly, use, disclose, distribute, print,
>> or copy any part of this message if you are not the intended recipient.
>> The sender's company reserves the right to monitor all e-mail
>> communications through their networks. Any views expressed in this
>> message are those of the individual sender, except where the message
>> states otherwise and the sender is authorised to state them to be the
>> views of the sender's company.
>>
>>
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>

Best regards,
Jack L. Stone,
Administrator

Sage American
http://www.sage-american.com
jacks@sage-american.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 19.02.2003 20:15:03 von dufresne

It's IP and/or port based. But, do remember, if port based then one is
server only one cert, and the trouble is making sure the cert is
constructed in a fashoin such that hostnames are not contained within the
CN and such. In this case, and others can correct me if I'm wrong here,
you would need to generate the cert on the IP rather then FDQN. And I'm
not sure openssl allows such a cert, but others might well be better clued
then I on this .

Thanks,

Ron DuFresne

On Wed, 19 Feb 2003, Jack L. Stone wrote:

> Please excuse the top post:
>
> Ian or anyone, are you sure that a wildcard setup won't work....??? Just
> getting ready to do a fresh install involvoing vhosts and this will become
> an important issue.
>
> Thanks!
>
> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote:
> >I believe that I read somewhere that you must have a different
> >ip address for each ssl virtualhost.
> >
> >Ian Moon
> >
> >On Wed, 19 Feb 2003, Boyle Owen wrote:
> >
> >> >-----Original Message-----
> >> >From: Steve Pirk [mailto:orion@deathcon.com]
> >> >Sent: Donnerstag, 6. Februar 2003 02:02
> >> >To: modssl-users@modssl.org
> >> >Subject: Multiple SSL VirtualHosts in apache
> >> >
> >> >
> >> >I check the mail archives, but could not find a good
> >> >answer for this "problem" I am having.
> >> >
> >> >I am building out a dev environment using apache
> >> >on Solaris. The dev environment needs to run under
> >> >SSL (to simulate the production environment). I am
> >> >starting with 4 virtual servers. They all use the
> >> >same cert file, but are on different ports.
> >> >
> >> >The problem I am running into is that only the "first"
> >> >VirtualHost works. Requests to subsequent ports result
> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log
> >> >entry:
> >> >
> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP
> >> >spoken on HTTPS port; trying to send HTML error page (OpenSSL library
> >> >error follows)
> >>
> >> This looks like you typed http://server:7001/ into the browser. You
> >> still need to define https even if you have the port number, i.e.
> >> https://server:7001/.
> >>
> >> Can you confirm that if you do this, you still get an error?
> >>
> >> Rgds,
> >> Owen Boyle
> >>
> >>
> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
> >> >HTTP to HTTPS
> >> >port!?]
> >> >
> >> >This is being used in conjunction with an auth package,
> >> >but the redirect after logging in is https://
> >> >
> >> >Does anyone knnow of a good way to have multiple
> >> >SSL virtual servers on one apache instance?
> >>
> >> The way you are doing it is fine. You just have a probelm...
> >>
> >> >
> >> >Here is a sample of httpd.conf. In this case, port 7000
> >> >works, but 7001 and 7002 get the mod_ssl error.
> >> >
> >> >
> >> > DocumentRoot /some/doc/root
> >> > SSLEngine on
> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >> >

> >> >
> >> >
> >> > DocumentRoot /some/doc/root
> >> > SSLEngine on
> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >> >

> >> >
> >> >
> >> > DocumentRoot /some/doc/root
> >> > SSLEngine on
> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >> >

> >> >
> >> >--
> >> >Steve (egrep)
> >> >___________________________________________________________ ___________
> >> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >> >User Support Mailing List modssl-users@modssl.org
> >> >Automated List Manager majordomo@modssl.org
> >> >
> >>
> >> This message is for the named person's use only. It may contain
> >> confidential, proprietary or legally privileged information. No
> >> confidentiality or privilege is waived or lost by any mistransmission.
> >> If you receive this message in error, please notify the sender urgently
> >> and then immediately delete the message and any copies of it from your
> >> system. Please also immediately destroy any hardcopies of the message.
> >> You must not, directly or indirectly, use, disclose, distribute, print,
> >> or copy any part of this message if you are not the intended recipient.
> >> The sender's company reserves the right to monitor all e-mail
> >> communications through their networks. Any views expressed in this
> >> message are those of the individual sender, except where the message
> >> states otherwise and the sender is authorised to state them to be the
> >> views of the sender's company.
> >>
> >>
> >> ____________________________________________________________ __________
> >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >> User Support Mailing List modssl-users@modssl.org
> >> Automated List Manager majordomo@modssl.org
> >>
> >
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >
>
> Best regards,
> Jack L. Stone,
> Administrator
>
> Sage American
> http://www.sage-american.com
> jacks@sage-american.com
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Multiple SSL VirtualHosts in apache

am 19.02.2003 23:31:01 von Steve Pirk

Yeah, we had it slightly misconfigured. Now that I think
about it, I cannot remember the exact fix. I will look
over the httpd.conf file.

Thanks!
--
Steve (egrep)

On Wed, 19 Feb 2003, R. DuFresne wrote:

>
> The error you posted from logs implies the request the server is getting
> is http rather then https, perhaps your redirect or rewrite is not
> functioning properly?
>
> Thanks,
>
> Ron DuFresne
>
> On Wed, 5 Feb 2003, Steve Pirk wrote:
>
> > I check the mail archives, but could not find a good
> > answer for this "problem" I am having.
> >
> > I am building out a dev environment using apache
> > on Solaris. The dev environment needs to run under
> > SSL (to simulate the production environment). I am
> > starting with 4 virtual servers. They all use the
> > same cert file, but are on different ports.
> >
> > The problem I am running into is that only the "first"
> > VirtualHost works. Requests to subsequent ports result
> > in a mod_ssl:error:HTTP-request error. Here is the error_log
> > entry:
> >
> > [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP
> > spoken on HTTPS port; trying to send HTML error page (OpenSSL library
> > error follows)
> > [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
> > routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS
> > port!?]
> >
> > This is being used in conjunction with an auth package,
> > but the redirect after logging in is https://
> >
> > Does anyone knnow of a good way to have multiple
> > SSL virtual servers on one apache instance?
> >
> > Here is a sample of httpd.conf. In this case, port 7000
> > works, but 7001 and 7002 get the mod_ssl error.
> >
> >
> > DocumentRoot /some/doc/root
> > SSLEngine on
> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >

> >
> >
> > DocumentRoot /some/doc/root
> > SSLEngine on
> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >

> >
> >
> > DocumentRoot /some/doc/root
> > SSLEngine on
> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >

> >
> > --
> > Steve (egrep)
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: sysinfo.com
> http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
> -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 20.02.2003 09:16:52 von Boyle Owen

>-----Original Message-----
>From: R. DuFresne [mailto:dufresne@sysinfo.com]
>
>It's IP and/or port based. But, do remember, if port based then one is
>server only one cert, and the trouble is making sure the cert is
>constructed in a fashoin such that hostnames are not contained=20
>within the CN and such. In this case, and others can correct me if I'm =

>wrong here, you would need to generate the cert on the IP rather then=20
>FDQN. And I'm not sure openssl allows such a cert, but others might =
well be=20
>better clued then I on this .

A server cert bound to an IP address wouldn't make much sense (not sure =
if you can even do it).

The thing to remember is that SSL is about two things - encryption and =
authentication. For encryption to work you just need to send the =
server's public key to the client - the hostname is not important. =
However, for the authentication aspect, it is essential that the the =
common name in the server cert matches the FQDN in the client request. =
Put it another way, you surf to amazon.com and are about to type in your =
credit card number but then you look inside the server cert and see that =
it is registered to "shady-character.com". Do you still send your card =
number? This is why browsers always complain when you use a test or self =
signed certificate if the CN doesn't match the FQDN.

So, while you can have an encrypted session with an untrusted server, in =
the real world it doesn't make much sense to do so. Encryption is =
sending your money to the bank in an armoured car, authentication is =
making sure the armoured car actually goes to the bank.

Rgds,
Owen Boyle

>
>Thanks,
>
>Ron DuFresne
>
>On Wed, 19 Feb 2003, Jack L. Stone wrote:
>
>> Please excuse the top post:
>>=20
>> Ian or anyone, are you sure that a wildcard setup won't=20
>work....??? Just
>> getting ready to do a fresh install involvoing vhosts and=20
>this will become
>> an important issue.
>>=20
>> Thanks!
>>=20
>> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote:
>> >I believe that I read somewhere that you must have a different
>> >ip address for each ssl virtualhost.
>> >
>> >Ian Moon
>> >
>> >On Wed, 19 Feb 2003, Boyle Owen wrote:
>> >
>> >> >-----Original Message-----
>> >> >From: Steve Pirk [mailto:orion@deathcon.com]
>> >> >Sent: Donnerstag, 6. Februar 2003 02:02
>> >> >To: modssl-users@modssl.org
>> >> >Subject: Multiple SSL VirtualHosts in apache
>> >> >
>> >> >
>> >> >I check the mail archives, but could not find a good
>> >> >answer for this "problem" I am having.
>> >> >
>> >> >I am building out a dev environment using apache
>> >> >on Solaris. The dev environment needs to run under
>> >> >SSL (to simulate the production environment). I am
>> >> >starting with 4 virtual servers. They all use the
>> >> >same cert file, but are on different ports.
>> >> >
>> >> >The problem I am running into is that only the "first"
>> >> >VirtualHost works. Requests to subsequent ports result
>> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log
>> >> >entry:
>> >> >
>> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL=20
>handshake failed: HTTP
>> >> >spoken on HTTPS port; trying to send HTML error page=20
>(OpenSSL library
>> >> >error follows)
>> >>
>> >> This looks like you typed http://server:7001/ into the=20
>browser. You
>> >> still need to define https even if you have the port number, i.e.
>> >> https://server:7001/.
>> >>
>> >> Can you confirm that if you do this, you still get an error?
>> >>
>> >> Rgds,
>> >> Owen Boyle
>> >>
>> >>
>> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
>> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
>> >> >HTTP to HTTPS
>> >> >port!?]
>> >> >
>> >> >This is being used in conjunction with an auth package,
>> >> >but the redirect after logging in is https://
>> >> >
>> >> >Does anyone knnow of a good way to have multiple
>> >> >SSL virtual servers on one apache instance?
>> >>
>> >> The way you are doing it is fine. You just have a probelm...
>> >>
>> >> >
>> >> >Here is a sample of httpd.conf. In this case, port 7000
>> >> >works, but 7001 and 7002 get the mod_ssl error.
>> >> >
>> >> >
>> >> > DocumentRoot /some/doc/root
>> >> > SSLEngine on
>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>> >> >

>> >> >
>> >> >
>> >> > DocumentRoot /some/doc/root
>> >> > SSLEngine on
>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>> >> >

>> >> >
>> >> >
>> >> > DocumentRoot /some/doc/root
>> >> > SSLEngine on
>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>> >> >

>> >> >
>> >> >--
>> >> >Steve (egrep)
>> >>=20
>>__________________________________________________________ ____________
>> >> >Apache Interface to OpenSSL (mod_ssl) =20
>www.modssl.org
>> >> >User Support Mailing List =20
>modssl-users@modssl.org
>> >> >Automated List Manager =20
>majordomo@modssl.org
>> >> >
>> >>
>> >> This message is for the named person's use only. It may contain
>> >> confidential, proprietary or legally privileged information. No
>> >> confidentiality or privilege is waived or lost by any=20
>mistransmission.
>> >> If you receive this message in error, please notify the=20
>sender urgently
>> >> and then immediately delete the message and any copies of=20
>it from your
>> >> system. Please also immediately destroy any hardcopies of=20
>the message.
>> >> You must not, directly or indirectly, use, disclose,=20
>distribute, print,
>> >> or copy any part of this message if you are not the=20
>intended recipient.
>> >> The sender's company reserves the right to monitor all e-mail
>> >> communications through their networks. Any views expressed in this
>> >> message are those of the individual sender, except where=20
>the message
>> >> states otherwise and the sender is authorised to state=20
>them to be the
>> >> views of the sender's company.
>> >>
>> >>
>> >>=20
>___________________________________________________________ ___________
>> >> Apache Interface to OpenSSL (mod_ssl) =20
www.modssl.org
> >> User Support Mailing List =
modssl-users@modssl.org
> >> Automated List Manager =
majordomo@modssl.org
> >>
> >
> =
>___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) =
www.modssl.org
> >User Support Mailing List =
modssl-users@modssl.org
> >Automated List Manager =
majordomo@modssl.org
> >
> >
>=20
> Best regards,
> Jack L. Stone,
> Administrator
>=20
> Sage American
> http://www.sage-american.com
> jacks@sage-american.com
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>=20

--=20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 20.02.2003 14:47:47 von jackstone

Owens' reply is more in line with what I thought. In applying for my Cert,
I provided docs to prove ownership of the www.domain, addresses and some
other stuff. When clicking on the website, the Cert requested must match
the domain requested -- nothing about IPs has ever been involved.

This is why the post about IPs caught my attention and wondered if I was
behind the times. I'm applying for a renewal now and again it's all about
the www.domain and nothing is entered into the cert about the IP verification.

Then, there is the question of a wildcard cert which I understand can be
used for several vhosts without setting off alarms on the browser.

If there is anyone who would be willing to share with me their httpd.conf
setup when using vhosting, I would be forever greatful. Offlist would be
fine if need for privacy.

Thanks.....

>>
>>It's IP and/or port based. But, do remember, if port based then one is
>>server only one cert, and the trouble is making sure the cert is
>>constructed in a fashoin such that hostnames are not contained
>>within the CN and such. In this case, and others can correct me if I'm
>>wrong here, you would need to generate the cert on the IP rather then
>>FDQN. And I'm not sure openssl allows such a cert, but others might well
be
>>better clued then I on this .
>
>A server cert bound to an IP address wouldn't make much sense (not sure if
you can even do it).
>
>The thing to remember is that SSL is about two things - encryption and
authentication. For encryption to work you just need to send the server's
public key to the client - the hostname is not important. However, for the
authentication aspect, it is essential that the the common name in the
server cert matches the FQDN in the client request. Put it another way, you
surf to amazon.com and are about to type in your credit card number but
then you look inside the server cert and see that it is registered to
"shady-character.com". Do you still send your card number? This is why
browsers always complain when you use a test or self signed certificate if
the CN doesn't match the FQDN.
>
>So, while you can have an encrypted session with an untrusted server, in
the real world it doesn't make much sense to do so. Encryption is sending
your money to the bank in an armoured car, authentication is making sure
the armoured car actually goes to the bank.
>
>Rgds,
>Owen Boyle
>
>>
>>Thanks,
>>
>>Ron DuFresne
>>
>>On Wed, 19 Feb 2003, Jack L. Stone wrote:
>>
>>> Please excuse the top post:
>>>
>>> Ian or anyone, are you sure that a wildcard setup won't
>>work....??? Just
>>> getting ready to do a fresh install involvoing vhosts and
>>this will become
>>> an important issue.
>>>
>>> Thanks!
>>>
>>> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote:
>>> >I believe that I read somewhere that you must have a different
>>> >ip address for each ssl virtualhost.
>>> >
>>> >Ian Moon
>>> >
>>> >On Wed, 19 Feb 2003, Boyle Owen wrote:
>>> >
>>> >> >-----Original Message-----
>>> >> >From: Steve Pirk [mailto:orion@deathcon.com]
>>> >> >Sent: Donnerstag, 6. Februar 2003 02:02
>>> >> >To: modssl-users@modssl.org
>>> >> >Subject: Multiple SSL VirtualHosts in apache
>>> >> >
>>> >> >
>>> >> >I check the mail archives, but could not find a good
>>> >> >answer for this "problem" I am having.
>>> >> >
>>> >> >I am building out a dev environment using apache
>>> >> >on Solaris. The dev environment needs to run under
>>> >> >SSL (to simulate the production environment). I am
>>> >> >starting with 4 virtual servers. They all use the
>>> >> >same cert file, but are on different ports.
>>> >> >
>>> >> >The problem I am running into is that only the "first"
>>> >> >VirtualHost works. Requests to subsequent ports result
>>> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log
>>> >> >entry:
>>> >> >
>>> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL
>>handshake failed: HTTP
>>> >> >spoken on HTTPS port; trying to send HTML error page
>>(OpenSSL library
>>> >> >error follows)
>>> >>
>>> >> This looks like you typed http://server:7001/ into the
>>browser. You
>>> >> still need to define https even if you have the port number, i.e.
>>> >> https://server:7001/.
>>> >>
>>> >> Can you confirm that if you do this, you still get an error?
>>> >>
>>> >> Rgds,
>>> >> Owen Boyle
>>> >>
>>> >>
>>> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
>>> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
>>> >> >HTTP to HTTPS
>>> >> >port!?]
>>> >> >
>>> >> >This is being used in conjunction with an auth package,
>>> >> >but the redirect after logging in is https://
>>> >> >
>>> >> >Does anyone knnow of a good way to have multiple
>>> >> >SSL virtual servers on one apache instance?
>>> >>
>>> >> The way you are doing it is fine. You just have a probelm...
>>> >>
>>> >> >
>>> >> >Here is a sample of httpd.conf. In this case, port 7000
>>> >> >works, but 7001 and 7002 get the mod_ssl error.
>>> >> >
>>> >> >
>>> >> > DocumentRoot /some/doc/root
>>> >> > SSLEngine on
>>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>>> >> >

>>> >> >
>>> >> >
>>> >> > DocumentRoot /some/doc/root
>>> >> > SSLEngine on
>>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>>> >> >

>>> >> >
>>> >> >
>>> >> > DocumentRoot /some/doc/root
>>> >> > SSLEngine on
>>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>>> >> >



Best regards,
Jack L. Stone,
Administrator

SageOne Net
http://www.sage-one.net
jackstone@sage-one.net
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 20.02.2003 15:21:49 von Boyle Owen

>-----Original Message-----
>From: Jack L. Stone [mailto:jackstone@sage-one.net]
>
>Then, there is the question of a wildcard cert which I
>understand can be
>used for several vhosts without setting off alarms on the browser.

Search the archives for posts about wildcards - this comes up from time
to time and a few weeks ago John Airey gave a good summary of the
situation (basically, they're getting harder and harder to get).

>If there is anyone who would be willing to share with me their
>httpd.conf setup when using vhosting, I would be forever greatful.

It's no mystery - you just need to ensure that the different VHs are
distinguished at the TCP/IP layer (i.e. only one VH per IP/port number
pair). You cannot use application layer attributes (such as the Host
header) to define VHs because the SSL channel must be established before
any application layer traffic occurs.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

>Offlist would be
>fine if need for privacy.
>
>Thanks.....
>
>>>
>>>It's IP and/or port based. But, do remember, if port based
>then one is
>>>server only one cert, and the trouble is making sure the cert is
>>>constructed in a fashoin such that hostnames are not contained
>>>within the CN and such. In this case, and others can
>correct me if I'm
>>>wrong here, you would need to generate the cert on the IP
>rather then
>>>FDQN. And I'm not sure openssl allows such a cert, but
>others might well
>be
>>>better clued then I on this .
>>
>>A server cert bound to an IP address wouldn't make much sense
>(not sure if
>you can even do it).
>>
>>The thing to remember is that SSL is about two things - encryption and
>authentication. For encryption to work you just need to send
>the server's
>public key to the client - the hostname is not important.
>However, for the
>authentication aspect, it is essential that the the common name in the
>server cert matches the FQDN in the client request. Put it
>another way, you
>surf to amazon.com and are about to type in your credit card number but
>then you look inside the server cert and see that it is registered to
>"shady-character.com". Do you still send your card number? This is why
>browsers always complain when you use a test or self signed
>certificate if
>the CN doesn't match the FQDN.
>>
>>So, while you can have an encrypted session with an untrusted
>server, in
>the real world it doesn't make much sense to do so. Encryption
>is sending
>your money to the bank in an armoured car, authentication is
>making sure
>the armoured car actually goes to the bank.
>>
>>Rgds,
>>Owen Boyle
>>
>>>
>>>Thanks,
>>>
>>>Ron DuFresne
>>>
>>>On Wed, 19 Feb 2003, Jack L. Stone wrote:
>>>
>>>> Please excuse the top post:
>>>>
>>>> Ian or anyone, are you sure that a wildcard setup won't
>>>work....??? Just
>>>> getting ready to do a fresh install involvoing vhosts and
>>>this will become
>>>> an important issue.
>>>>
>>>> Thanks!
>>>>
>>>> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote:
>>>> >I believe that I read somewhere that you must have a different
>>>> >ip address for each ssl virtualhost.
>>>> >
>>>> >Ian Moon
>>>> >
>>>> >On Wed, 19 Feb 2003, Boyle Owen wrote:
>>>> >
>>>> >> >-----Original Message-----
>>>> >> >From: Steve Pirk [mailto:orion@deathcon.com]
>>>> >> >Sent: Donnerstag, 6. Februar 2003 02:02
>>>> >> >To: modssl-users@modssl.org
>>>> >> >Subject: Multiple SSL VirtualHosts in apache
>>>> >> >
>>>> >> >
>>>> >> >I check the mail archives, but could not find a good
>>>> >> >answer for this "problem" I am having.
>>>> >> >
>>>> >> >I am building out a dev environment using apache
>>>> >> >on Solaris. The dev environment needs to run under
>>>> >> >SSL (to simulate the production environment). I am
>>>> >> >starting with 4 virtual servers. They all use the
>>>> >> >same cert file, but are on different ports.
>>>> >> >
>>>> >> >The problem I am running into is that only the "first"
>>>> >> >VirtualHost works. Requests to subsequent ports result
>>>> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log
>>>> >> >entry:
>>>> >> >
>>>> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL
>>>handshake failed: HTTP
>>>> >> >spoken on HTTPS port; trying to send HTML error page
>>>(OpenSSL library
>>>> >> >error follows)
>>>> >>
>>>> >> This looks like you typed http://server:7001/ into the
>>>browser. You
>>>> >> still need to define https even if you have the port
>number, i.e.
>>>> >> https://server:7001/.
>>>> >>
>>>> >> Can you confirm that if you do this, you still get an error?
>>>> >>
>>>> >> Rgds,
>>>> >> Owen Boyle
>>>> >>
>>>> >>
>>>> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
>>>> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
>>>> >> >HTTP to HTTPS
>>>> >> >port!?]
>>>> >> >
>>>> >> >This is being used in conjunction with an auth package,
>>>> >> >but the redirect after logging in is https://
>>>> >> >
>>>> >> >Does anyone knnow of a good way to have multiple
>>>> >> >SSL virtual servers on one apache instance?
>>>> >>
>>>> >> The way you are doing it is fine. You just have a probelm...
>>>> >>
>>>> >> >
>>>> >> >Here is a sample of httpd.conf. In this case, port 7000
>>>> >> >works, but 7001 and 7002 get the mod_ssl error.
>>>> >> >
>>>> >> >
>>>> >> > DocumentRoot /some/doc/root
>>>> >> > SSLEngine on
>>>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>>>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>>>> >> >

>>>> >> >
>>>> >> >
>>>> >> > DocumentRoot /some/doc/root
>>>> >> > SSLEngine on
>>>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>>>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>>>> >> >

>>>> >> >
>>>> >> >
>>>> >> > DocumentRoot /some/doc/root
>>>> >> > SSLEngine on
>>>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
>>>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
>>>> >> >

>
>
>Best regards,
>Jack L. Stone,
>Administrator
>
>SageOne Net
>http://www.sage-one.net
>jackstone@sage-one.net
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Multiple SSL VirtualHosts in apache

am 20.02.2003 15:47:28 von dufresne

Yes, and thanks to Owen for rounding out our, mine and yours, knowledge
levels on this. I seem to have forgotten the FDQN is what the browsing
public is used to for web traversals. Few fall back to IP's even in times
when DNS is borked. I get firewall-1 licesning issues and cert issues
confused at times. Hopefully I did not mislead anyone .

Thanks,

Ron DuFresne

On Thu, 20 Feb 2003, Jack L. Stone wrote:

> Owens' reply is more in line with what I thought. In applying for my Cert,
> I provided docs to prove ownership of the www.domain, addresses and some
> other stuff. When clicking on the website, the Cert requested must match
> the domain requested -- nothing about IPs has ever been involved.
>
> This is why the post about IPs caught my attention and wondered if I was
> behind the times. I'm applying for a renewal now and again it's all about
> the www.domain and nothing is entered into the cert about the IP verification.
>
> Then, there is the question of a wildcard cert which I understand can be
> used for several vhosts without setting off alarms on the browser.
>
> If there is anyone who would be willing to share with me their httpd.conf
> setup when using vhosting, I would be forever greatful. Offlist would be
> fine if need for privacy.
>
> Thanks.....
>
> >>
> >>It's IP and/or port based. But, do remember, if port based then one is
> >>server only one cert, and the trouble is making sure the cert is
> >>constructed in a fashoin such that hostnames are not contained
> >>within the CN and such. In this case, and others can correct me if I'm
> >>wrong here, you would need to generate the cert on the IP rather then
> >>FDQN. And I'm not sure openssl allows such a cert, but others might well
> be
> >>better clued then I on this .
> >
> >A server cert bound to an IP address wouldn't make much sense (not sure if
> you can even do it).
> >
> >The thing to remember is that SSL is about two things - encryption and
> authentication. For encryption to work you just need to send the server's
> public key to the client - the hostname is not important. However, for the
> authentication aspect, it is essential that the the common name in the
> server cert matches the FQDN in the client request. Put it another way, you
> surf to amazon.com and are about to type in your credit card number but
> then you look inside the server cert and see that it is registered to
> "shady-character.com". Do you still send your card number? This is why
> browsers always complain when you use a test or self signed certificate if
> the CN doesn't match the FQDN.
> >
> >So, while you can have an encrypted session with an untrusted server, in
> the real world it doesn't make much sense to do so. Encryption is sending
> your money to the bank in an armoured car, authentication is making sure
> the armoured car actually goes to the bank.
> >
> >Rgds,
> >Owen Boyle
> >
> >>
> >>Thanks,
> >>
> >>Ron DuFresne
> >>
> >>On Wed, 19 Feb 2003, Jack L. Stone wrote:
> >>
> >>> Please excuse the top post:
> >>>
> >>> Ian or anyone, are you sure that a wildcard setup won't
> >>work....??? Just
> >>> getting ready to do a fresh install involvoing vhosts and
> >>this will become
> >>> an important issue.
> >>>
> >>> Thanks!
> >>>
> >>> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote:
> >>> >I believe that I read somewhere that you must have a different
> >>> >ip address for each ssl virtualhost.
> >>> >
> >>> >Ian Moon
> >>> >
> >>> >On Wed, 19 Feb 2003, Boyle Owen wrote:
> >>> >
> >>> >> >-----Original Message-----
> >>> >> >From: Steve Pirk [mailto:orion@deathcon.com]
> >>> >> >Sent: Donnerstag, 6. Februar 2003 02:02
> >>> >> >To: modssl-users@modssl.org
> >>> >> >Subject: Multiple SSL VirtualHosts in apache
> >>> >> >
> >>> >> >
> >>> >> >I check the mail archives, but could not find a good
> >>> >> >answer for this "problem" I am having.
> >>> >> >
> >>> >> >I am building out a dev environment using apache
> >>> >> >on Solaris. The dev environment needs to run under
> >>> >> >SSL (to simulate the production environment). I am
> >>> >> >starting with 4 virtual servers. They all use the
> >>> >> >same cert file, but are on different ports.
> >>> >> >
> >>> >> >The problem I am running into is that only the "first"
> >>> >> >VirtualHost works. Requests to subsequent ports result
> >>> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log
> >>> >> >entry:
> >>> >> >
> >>> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL
> >>handshake failed: HTTP
> >>> >> >spoken on HTTPS port; trying to send HTML error page
> >>(OpenSSL library
> >>> >> >error follows)
> >>> >>
> >>> >> This looks like you typed http://server:7001/ into the
> >>browser. You
> >>> >> still need to define https even if you have the port number, i.e.
> >>> >> https://server:7001/.
> >>> >>
> >>> >> Can you confirm that if you do this, you still get an error?
> >>> >>
> >>> >> Rgds,
> >>> >> Owen Boyle
> >>> >>
> >>> >>
> >>> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL
> >>> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking
> >>> >> >HTTP to HTTPS
> >>> >> >port!?]
> >>> >> >
> >>> >> >This is being used in conjunction with an auth package,
> >>> >> >but the redirect after logging in is https://
> >>> >> >
> >>> >> >Does anyone knnow of a good way to have multiple
> >>> >> >SSL virtual servers on one apache instance?
> >>> >>
> >>> >> The way you are doing it is fine. You just have a probelm...
> >>> >>
> >>> >> >
> >>> >> >Here is a sample of httpd.conf. In this case, port 7000
> >>> >> >works, but 7001 and 7002 get the mod_ssl error.
> >>> >> >
> >>> >> >
> >>> >> > DocumentRoot /some/doc/root
> >>> >> > SSLEngine on
> >>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> >>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >>> >> >

> >>> >> >
> >>> >> >
> >>> >> > DocumentRoot /some/doc/root
> >>> >> > SSLEngine on
> >>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> >>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >>> >> >

> >>> >> >
> >>> >> >
> >>> >> > DocumentRoot /some/doc/root
> >>> >> > SSLEngine on
> >>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt
> >>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key
> >>> >> >

>
>
> Best regards,
> Jack L. Stone,
> Administrator
>
> SageOne Net
> http://www.sage-one.net
> jackstone@sage-one.net
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org