virtual hosting

I am currently running about 15 virtual hosts using name based on port 80,
and 1 virtual host using SSL.

My SSL host is currently working with the following:



However I want to change this to the IP based hosting for this host,
allowing me to then add more SSL based virtual hosts on this setup, so I
tried changing this to the following:



By doing this my SSL virtual host stops working altogether.

I try the following to debug it on a remote machine:

# openssl s_client -connect 203.xxx.xxx.xxx:443
CONNECTED(00000003)
27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:

I do the exact same thing on the local machine and it responds with a valid
SSL response.

Can anyone suggest might be wrong here?

Regards,

Ian Newlands

____________________________________________________________ _____
Hotmail is now available on Australian mobile phones. Go to
http://ninemsn.com.au/mobilecentral/signup.asp

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: virtual hosting

geeze. is it that time of the month already for this question? seems
like it was just yesterday when it was asked last .. maybe I'm just
thinking of the other 100,000 times it was asked.

in all seriousness, this dead horse has been beaten so many times on
this list there isn't even a carcass left to hit at this point. please
go dig through the mail list archives to see why name-based virtual
hosts don't work with SSL.

yes, that's a flippant answer. no, you're not likely to get a reply
any more serious.

-dsp

On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote:

> I am currently running about 15 virtual hosts using name based on port
> 80, and 1 virtual host using SSL.
>
> My SSL host is currently working with the following:
>
>
>
> However I want to change this to the IP based hosting for this host,
> allowing me to then add more SSL based virtual hosts on this setup, so
> I tried changing this to the following:
>
>
>
> By doing this my SSL virtual host stops working altogether.
>
> I try the following to debug it on a remote machine:
>
> # openssl s_client -connect 203.xxx.xxx.xxx:443
> CONNECTED(00000003)
> 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:475:
>
> I do the exact same thing on the local machine and it responds with a
> valid SSL response.
>
> Can anyone suggest might be wrong here?
>
> Regards,
>
> Ian Newlands
>
> ____________________________________________________________ _____
> Hotmail is now available on Australian mobile phones. Go to
> http://ninemsn.com.au/mobilecentral/signup.asp
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: virtual hosting

Hello,

> I am currently running about 15 virtual hosts using name based on port 80,
> and 1 virtual host using SSL.

I assume that you have only one virtual host for SSL in your conf.

> My SSL host is currently working with the following:
>
>
>
> However I want to change this to the IP based hosting for this host,
> I tried changing this to the following:
>
>
>
> By doing this my SSL virtual host stops working altogether.
>
> I try the following to debug it on a remote machine:
>
> # openssl s_client -connect 203.xxx.xxx.xxx:443
> CONNECTED(00000003)
> 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:475:

I see simlilar problems several times. From my little experience, this
happends when you access the virtual host where the sslengine is not
on.

This is caused by probably:
1) You do not specify the SSL engine on in the directive.
(Probably not because you just changed from _default_:443)
2) Your virtual host is not working (happends when you try to have multiple
ssl hosts). But even happends when you set a differnt IP from the
one in your inet addr (even you have a one virtual host).
3) You have several ethernet HWs working and for a example use the eth0 for
openssl command and eth1 for ssl.conf.

> Can anyone suggest might be wrong here?

I can only tell that xxx.xxx.xxx parts of your two IP addresses are
probably not set correctly. If you could tell exact info on the conf
and ifconfig, I may be able to suggest more.

-Kiyoshi
Kiyoshi Watanabe

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: virtual hosting

Although I'm sure that most people get quite bored and frustrated about
questions on virtual hosting that have appeared countless times in the
archives I don't think I've ever noticed what I was wondering being
answered.

If you had a wildcard certificate which worked for *.domain.com, would name
virtual hosting be possible then assuming that all your virtual hosts were
things like "secure.domain.com" and "basket.domain.com" as they are actually
all using the same wildcard certificate for the SSL handshake.

If anyone could answer that, it would be great and potentially save some
messing when it comes to IP addresses.

Cheers

JB

-----Original Message-----
From: Dave Paris [mailto:dparis@w3works.com]
Sent: 21 August 2003 04:59
To: modssl-users@modssl.org
Cc: Ian Newlands
Subject: Re: virtual hosting


geeze. is it that time of the month already for this question? seems
like it was just yesterday when it was asked last .. maybe I'm just
thinking of the other 100,000 times it was asked.

in all seriousness, this dead horse has been beaten so many times on
this list there isn't even a carcass left to hit at this point. please
go dig through the mail list archives to see why name-based virtual
hosts don't work with SSL.

yes, that's a flippant answer. no, you're not likely to get a reply
any more serious.

-dsp

On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote:

> I am currently running about 15 virtual hosts using name based on port
> 80, and 1 virtual host using SSL.
>
> My SSL host is currently working with the following:
>
>
>
> However I want to change this to the IP based hosting for this host,
> allowing me to then add more SSL based virtual hosts on this setup, so
> I tried changing this to the following:
>
>
>
> By doing this my SSL virtual host stops working altogether.
>
> I try the following to debug it on a remote machine:
>
> # openssl s_client -connect 203.xxx.xxx.xxx:443
> CONNECTED(00000003)
> 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:475:
>
> I do the exact same thing on the local machine and it responds with a
> valid SSL response.
>
> Can anyone suggest might be wrong here?
>
> Regards,
>
> Ian Newlands
>
> ____________________________________________________________ _____
> Hotmail is now available on Australian mobile phones. Go to
> http://ninemsn.com.au/mobilecentral/signup.asp
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

This email has been scanned for all viruses by the MessageLabs SkyScan
service.


************************************************************ **********************
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.

Computer viruses can be transmitted by e-mail. Recipients should check this e-mail for the presence of viruses. The Capita Group and its subsidiaries accept no liability for any damage caused by any virus transmitted by this e-mail.
************************************************************ ***********************

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: virtual hosting

Hi John,

> If you had a wildcard certificate which worked for *.domain.com, would name
> virtual hosting be possible then assuming that all your virtual hosts were
> things like "secure.domain.com" and "basket.domain.com" as they are actually
> all using the same wildcard certificate for the SSL handshake.

I think that it is possible as long as the each domain name of your
virtual hosts has the IP address associated with the inet address.

I believe that the wildcard certificate and domain names are a client
side issue. The browser will check the dn in URL and certificate. I do
not know whether IE still accepts this certificate or not.

If there are any issues in server side, I want to know them.

-Kiyoshi
Kiyoshi Watanabe


> If anyone could answer that, it would be great and potentially save some
> messing when it comes to IP addresses.
>
> Cheers
>
> JB
>
> -----Original Message-----
> From: Dave Paris [mailto:dparis@w3works.com]
> Sent: 21 August 2003 04:59
> To: modssl-users@modssl.org
> Cc: Ian Newlands
> Subject: Re: virtual hosting
>
>
> geeze. is it that time of the month already for this question? seems
> like it was just yesterday when it was asked last .. maybe I'm just
> thinking of the other 100,000 times it was asked.
>
> in all seriousness, this dead horse has been beaten so many times on
> this list there isn't even a carcass left to hit at this point. please
> go dig through the mail list archives to see why name-based virtual
> hosts don't work with SSL.
>
> yes, that's a flippant answer. no, you're not likely to get a reply
> any more serious.
>
> -dsp
>
> On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote:
>
> > I am currently running about 15 virtual hosts using name based on port
> > 80, and 1 virtual host using SSL.
> >
> > My SSL host is currently working with the following:
> >
> >
> >
> > However I want to change this to the IP based hosting for this host,
> > allowing me to then add more SSL based virtual hosts on this setup, so
> > I tried changing this to the following:
> >
> >
> >
> > By doing this my SSL virtual host stops working altogether.
> >
> > I try the following to debug it on a remote machine:
> >
> > # openssl s_client -connect 203.xxx.xxx.xxx:443
> > CONNECTED(00000003)
> > 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> > protocol:s23_clnt.c:475:
> >
> > I do the exact same thing on the local machine and it responds with a
> > valid SSL response.
> >
> > Can anyone suggest might be wrong here?
> >
> > Regards,
> >
> > Ian Newlands
> >
> > ____________________________________________________________ _____
> > Hotmail is now available on Australian mobile phones. Go to
> > http://ninemsn.com.au/mobilecentral/signup.asp
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> This email has been scanned for all viruses by the MessageLabs SkyScan
> service.
>
>
> ************************************************************ **********************
> This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.
>
> Computer viruses can be transmitted by e-mail. Recipients should check this e-mail for the presence of viruses. The Capita Group and its subsidiaries accept no liability for any damage caused by any virus transmitted by this e-mail.
> ************************************************************ ***********************
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: virtual hosting

> -----Original Message-----
> From: Boocock, John (Academy) [mailto:John.Boocock@capita.co.uk]
> Sent: 22 August 2003 14:04
> To: 'modssl-users@modssl.org'
> Subject: RE: virtual hosting
>
>
> Although I'm sure that most people get quite bored and
> frustrated about
> questions on virtual hosting that have appeared countless times in the
> archives I don't think I've ever noticed what I was wondering being
> answered.
>
> If you had a wildcard certificate which worked for
> *.domain.com, would name
> virtual hosting be possible then assuming that all your
> virtual hosts were
> things like "secure.domain.com" and "basket.domain.com" as
> they are actually
> all using the same wildcard certificate for the SSL handshake.
>
> If anyone could answer that, it would be great and
> potentially save some
> messing when it comes to IP addresses.
>
> Cheers
>
> JB
>
I'd have thought you'd have found an answer from me in the archives (or
perhaps in the openssl archives).

Yes, you can use wildcard certificates. It is possible to use them on the
same IP address and port and it works (this is from memory of what those who
use this method have written).

However:

1. CAs have got wise to wildcard certificates and charge a couple of limbs
for the privilege of using them.
2. There's no guarantee that IE will support it and Microsoft may well break
support for it again.

If you are doing this on a "private" network, probably neither of the above
will affect you.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

The trouble with postmodernism isn't just that no-one actually believes in
it, but no-one can believe in it.

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org