Apache2, modssl and wildcard certificate

Apache2, modssl and wildcard certificate

am 14.11.2007 08:33:11 von Wim Sturkenboom

Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.8e DAV/2 PHP/5.2.3


Not sure if this belongs here or in another mailing list (apache). I
like to know how I can setup subdomains with a wildcard certificate?

1)
Originally I had a couple of websites with ssl (https), each site with
its own ip-address and its own certificate. In an attempt to save on
IP-addresses, I thought that subdomains and a wildcard certificate would
allow me to use one ip-address (and therefore name-based virtual
hosting).
Is this the correct assumption? If it's correct, please read on. If this
is not correct, what to do to get it working?

2)
I've created a self-signed wildcard certificate. When I (re)start
apache, the following warnings occur:

[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:33 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)
[Wed Nov 14 07:34:33 2007] [warn] Init: You should not use name-based
virtual hosts in conjunction with SSL!!
[Wed Nov 14 07:34:33 2007] [notice] Digest: generating secret for digest
authentication ...
[Wed Nov 14 07:34:33 2007] [notice] Digest: done
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] RSA server certificate CommonName (CN)
`*.lbtd-techweb01' does NOT match server name!?
[Wed Nov 14 07:34:34 2007] [warn] Init: SSL server IP/port conflict:
cc.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:52) vs.
tac.lbtd-techweb01:443 (/etc/httpd/extra/httpd-ssl.conf:79)


How do I get rid of the first 2 warnings (and the repeats later on for
different subdomains)? Something I did wrong while creating the
certificate?
I do understand the cause of the third warning (and its repeats). This
would imply that wildcard certificates and subdomains using name-based
virtual hosting are not possible. Any way that I can work around this?


This is (part of) my /etc/httpd/extra-httpd-ssl.conf

NameVirtualHost *:443

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/run/httpd/ssl_scache(512000)
SSLSessionCacheTimeout 300

SSLMutex file: /var/run/httpd/ssl_mutex #no space between colon and
first /

# command centre
#


DocumentRoot "/home/cc/www/ils/web"
ServerName cc.lbtd-techweb01
#ServerAlias cc.lbtd-techweb01
ServerAdmin wsturkenboom@multichoice.co.za
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL
SSLCertificateFile /etc/httpd/certificates/lbtd-techweb01.crt
SSLCertificateKeyFile /etc/httpd/certificates/lbtd-techweb01.key

BrowserMatch ".*MSIE.*" \
=20 nokeepalive ssl-unclean-shutdown \
=20 downgrade-1.0 force-response-1.0

=20
=20 Order allow,deny
=20 Allow from all
=20




Wim Sturkenboom
____________________________________________________________ _____________=
________________________________________

Information contained in any e-mail or attachment from Multichoice Africa=
=20(Pty) Ltd (=93MCA=94) is confidential and may also be
privileged or protected by other legal rules or law. You should not disse=
minate, distribute or copy this e-mail. Any views
or opinions presented in this email are solely those of the author and do=
=20not necessarily represent those of MCA. Employees=20
of MCA are expressly required not to make defamatory statements and not t=
o infringe or authorise any infringement of=20
copyright or any other legal right by email communications. Any such comm=
unication is contrary to MCA=92s policy and outside
the scope of the employment of the individual concerned. MCA will not acc=
ept any liability in respect of such
communication, and the employee responsible will be personally liable for=
=20any damages or other liability arising from such
communication.
____________________________________________________________ _____________=
________________________________________
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache2, modssl and wildcard certificate

am 15.11.2007 00:31:27 von Olaf Gellert

Hi all,

Wim Sturkenboom wrote:

> 1)
> Originally I had a couple of websites with ssl (https), each site with
> its own ip-address and its own certificate. In an attempt to save on
> IP-addresses, I thought that subdomains and a wildcard certificate would
> allow me to use one ip-address (and therefore name-based virtual
> hosting).
> Is this the correct assumption? If it's correct, please read on. If this
> is not correct, what to do to get it working?

It will not work. An SSL connection has to be completely
established before content is transmitted (which seems
logical: First do authentication and do a key exchange
to enable encryption, then send data over this encrypted
and authenticated channel). The way name-based virtual
hosts work is: The name of the requested server is
written in the HTTP header which is transmitted after
the connection establishment. The only thing that is
available at SSL handshake is the IP-address (which
may even be used by the client to do a reverse lookup and
compare the DNS name with what is written in the certificate.
So: multiple name-based virtual hosts with SSL will not
work.

For the second question: I am not sure how Apache handles
this but I am pretty sure, that some browsers do not accept
wildcard certificates, they require a complete match of
the full DNS name (I think InternetExplorer still accepts
wildcards). It may be that OpenSSL (and therefore all
OpenSSL based applications) do not accept wildcard
certificates... The wildcard thing is a bit of a "don't do
that": What kind of authentication do you achieve if
wildcards are allowed? In the times when wildcard certificates
were quite common, there were some rules where in the
DNS names the wildcards were allowed (eg nothing like
"www.mydomain.*" or even not "*.*" etc), but my feeling
is: No exceptions from the simplest rule: always use a
correct certificate for the correct host.

Yes, I know, of course it would come in handy to use only
one IP address and have always the same (wildcard) certificate
for all name-based virtual hosts. But it's not "good style".

Cheers, Olaf

--

Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET
Senior Researcher, www.intrusion-lab.net
PKI - and IDS - Services olaf.gellert@intrusion-lab.net

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org