SSL and Virtual hosts

SSL and Virtual hosts

am 20.02.2004 11:18:10 von Svein.Seldal

Hello,

I have this server that I'm going to run several virtualhosts. The
servers are for this example named test1, test2 and test3.

The server listens on two IP's: .10 and .11. Server test1 and test2
should listen on IP .10, and test3 on IP .11.

The server certificate for test1 and test3 presents the correct
certificate as it should. However, the server test2 certificate does
not. It presents the test1 certificate (probably because of the same use
of IP-address) instead of the correct test2 - which in turn makes the
clients pop up warning about the requestion because the certificate is
not issued to the correct name ("- The server's name
"test2.mydomain.org" does not match the certificate's name
"test1.mydomain.org". Somebody may be trying to eavesdrop on you.")

Is there a way to make it present the correct certificate for the
correct named server (on the same IP)?

I'm running Debian testing latest versions on a i686:
Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux)
debian versions: apache-ssl 1.3.29.0.1-5

Regards,
Svein Seldal




Part of my httpd.conf:
----------------------

SSLDisable
SSLVerifyClient 2
.....my other SSL settings....

Listen 192.168.0.10:443
Listen 192.168.0.11:443
NameVirtualHost 192.168.0.10:443
NameVirtualHost 192.168.0.11:443


ServerName test1.mydomain.org
SSLEnable
SSLRequireSSL
SSLCertificateFile /path/test1.crt
SSLCertificateKeyFile /path/test1.key
SSLCACertificateFile /path/test1_okaccess.crt
.....other HTML definitions....




ServerName test2.mydomain.org
SSLEnable
SSLRequireSSL
SSLCertificateFile /path/test2.crt
SSLCertificateKeyFile /path/test2.key
SSLCACertificateFile /path/test2_okaccess.crt
.....other HTML definitions....




ServerName test3.mydomain.org
SSLEnable
SSLRequireSSL
SSLCertificateFile /path/test3.crt
SSLCertificateKeyFile /path/test3.key
SSLCACertificateFile /path/test3_okaccess.crt
.....other HTML definitions....



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL and Virtual hosts

am 20.02.2004 11:22:35 von Mads Toftum

On Fri, Feb 20, 2004 at 11:18:10AM +0100, Svein E. Seldal wrote:
> I'm running Debian testing latest versions on a i686:
> Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux)
> debian versions: apache-ssl 1.3.29.0.1-5
>
You're asking on the wrong list then - this is the mod_ssl list, while
you're running apache-ssl which lives at http://www.apache-ssl.org/

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSL and Virtual hosts

am 20.02.2004 11:34:28 von Boyle Owen

> -----Original Message-----
> From: Mads Toftum [mailto:mads@toftum.dk]
> > Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux)
> > debian versions: apache-ssl 1.3.29.0.1-5
> >=20
> You're asking on the wrong list then - this is the mod_ssl list, while
> you're running apache-ssl which lives at http://www.apache-ssl.org/

Of course you're right, but since it's a Friday and since this is the
number one Frequently Made Mistake on SSL and since it applies equally
to apache-ssl, mod_ssl or any other implementation of SSL:

You are trying to do name-based virtual-hosting with SSL. You can't.
It's not an apache problem, it's a fundamental limitation of the HTTPS
protocol. See http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 for the
mod_ssl explanation. Probably apache-ssl will have a similar FAQ.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

>=20
> vh
>=20
> Mads Toftum
> --=20
> `Darn it, who spiked my coffee with water?!' - lwall
>=20
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>=20
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. =
This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le pr=E9sent e-mail =
est
un message priv=E9 et personnel, sans rapport avec l'activit=E9 =
boursi=E8re du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.=20


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org