Anyone good with multiple SSL on Apache?

Anyone good with multiple SSL on Apache?

am 08.03.2010 23:13:28 von Skip Evans

Hey all,

I have an Apache virtual config running a bunch of sites, one
with SSL. I finally have a need to add SSL to one more, but
when I do the first one (which is further down the file) comes
up "untrusted".

Since this is pretty far off topic I'd be obliged if someone
who has configured this before can email me off list for some
assistance.

Much thanks!
Skip

--
====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Anyone good with multiple SSL on Apache?

am 08.03.2010 23:16:23 von fmk

--------------080109000801000704050603
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

You can only have one SSL per IP address. The SSL connection between the
client and server is done before the host header name is made available
to Apache.

- Frank

On 3/8/10 2:13 PM, Skip Evans wrote:
> Hey all,
>
> I have an Apache virtual config running a bunch of sites, one with
> SSL. I finally have a need to add SSL to one more, but when I do the
> first one (which is further down the file) comes up "untrusted".
>
> Since this is pretty far off topic I'd be obliged if someone who has
> configured this before can email me off list for some assistance.
>
> Much thanks!
> Skip
>

--

Frank M. Kromann, M.Sc.E.E.

Web by Pixel, Inc.


Phone: +1 949 742 7533

Cell: +1 949 702 1794

Denmark: +45 88 33 64 80


--------------080109000801000704050603--

Re: Anyone good with multiple SSL on Apache?

am 08.03.2010 23:21:31 von Skip Evans

D'oh!

....and I suppose there is just no way around that, eh?

Skip

Frank M. Kromann wrote:
> You can only have one SSL per IP address. The SSL connection between the
> client and server is done before the host header name is made available
> to Apache.
>
> - Frank
>
> On 3/8/10 2:13 PM, Skip Evans wrote:
>> Hey all,
>>
>> I have an Apache virtual config running a bunch of sites, one with
>> SSL. I finally have a need to add SSL to one more, but when I do the
>> first one (which is further down the file) comes up "untrusted".
>>
>> Since this is pretty far off topic I'd be obliged if someone who has
>> configured this before can email me off list for some assistance.
>>
>> Much thanks!
>> Skip
>>
>
> --
>
> Frank M. Kromann, M.Sc.E.E.
>
> Web by Pixel, Inc.
>
>
> Phone: +1 949 742 7533
>
> Cell: +1 949 702 1794
>
> Denmark: +45 88 33 64 80
>

--
====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Anyone good with multiple SSL on Apache?

am 08.03.2010 23:54:29 von fmk

--------------010803080408050402010606
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Not that I know of.

- Frank

On 3/8/10 2:21 PM, Skip Evans wrote:
> D'oh!
>
> ...and I suppose there is just no way around that, eh?
>
> Skip
>
> Frank M. Kromann wrote:
>> You can only have one SSL per IP address. The SSL connection between
>> the client and server is done before the host header name is made
>> available to Apache.
>>
>> - Frank
>>
>> On 3/8/10 2:13 PM, Skip Evans wrote:
>>> Hey all,
>>>
>>> I have an Apache virtual config running a bunch of sites, one with
>>> SSL. I finally have a need to add SSL to one more, but when I do the
>>> first one (which is further down the file) comes up "untrusted".
>>>
>>> Since this is pretty far off topic I'd be obliged if someone who has
>>> configured this before can email me off list for some assistance.
>>>
>>> Much thanks!
>>> Skip
>>>
>>
>> --
>>
>> Frank M. Kromann, M.Sc.E.E.
>>
>> Web by Pixel, Inc.
>>
>>
>> Phone: +1 949 742 7533
>>
>> Cell: +1 949 702 1794
>>
>> Denmark: +45 88 33 64 80
>>
>

--

Frank M. Kromann, M.Sc.E.E.

Web by Pixel, Inc.


Phone: +1 949 742 7533

Cell: +1 949 702 1794

Denmark: +45 88 33 64 80


--------------010803080408050402010606--

Re: Anyone good with multiple SSL on Apache?

am 09.03.2010 00:16:46 von Kim Madsen

Skip Evans wrote on 08/03/2010 23:21:
> D'oh!
>
> ...and I suppose there is just no way around that, eh?

two public IPs pointing to the same server? ;o)

--
Kind regards
Kim Emax - masterminds.dk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Anyone good with multiple SSL on Apache?

am 09.03.2010 00:34:13 von Daniel Egeberg

On Mon, Mar 8, 2010 at 23:21, Skip Evans wrote:
> D'oh!
>
> ...and I suppose there is just no way around that, eh?
>
> Skip

You can use SNI, but it's not supported by all web servers and browsers.

http://en.wikipedia.org/wiki/Server_Name_Indication

--
Daniel Egeberg

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Anyone good with multiple SSL on Apache?

am 10.03.2010 01:07:36 von Manuel Lemos

Hello,

on 03/08/2010 07:13 PM Skip Evans said the following:
> Hey all,
>
> I have an Apache virtual config running a bunch of sites, one with SSL.
> I finally have a need to add SSL to one more, but when I do the first
> one (which is further down the file) comes up "untrusted".
>
> Since this is pretty far off topic I'd be obliged if someone who has
> configured this before can email me off list for some assistance.

AFAIK, you need to have a different certificate per domain, although
there are certificates that can be used for all domains.

--

Regards,
Manuel Lemos

Find and post PHP jobs
http://www.phpclasses.org/jobs/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: Anyone good with multiple SSL on Apache?

am 10.03.2010 08:38:12 von jochen schultz

AFAIK Apache 2 doesn't support virtual hosts for SSL.

But you may use one cert per socket, e.g it is possible to set one cert
up on port 447 and one on 8080.

https://example1.com
https://example2.com:8080

regards

Jochen Schultz

Manuel Lemos schrieb:
> Hello,
>
> on 03/08/2010 07:13 PM Skip Evans said the following:
>> Hey all,
>>
>> I have an Apache virtual config running a bunch of sites, one with SSL.
>> I finally have a need to add SSL to one more, but when I do the first
>> one (which is further down the file) comes up "untrusted".
>>
>> Since this is pretty far off topic I'd be obliged if someone who has
>> configured this before can email me off list for some assistance.
>
> AFAIK, you need to have a different certificate per domain, although
> there are certificates that can be used for all domains.
>

--
Sport Import GmbH - Amtsgericht Oldenburg - Tel: +49-4405-9280-63
Industriestrasse 39 - HRB 1202900 -
26188 Edewecht - GF: Michael Müllmann

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: Anyone good with multiple SSL on Apache?

am 10.03.2010 09:37:35 von Per Jessen

Jochen Schultz wrote:

> AFAIK Apache 2 doesn't support virtual hosts for SSL.
>=20

I think it does now - there was even a c't article on the topic not lon=
g
ago. I'll see if I can find it.


/Per

--=20
Per Jessen, Zürich (-4.0°C)


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Anyone good with multiple SSL on Apache?

am 10.03.2010 09:41:16 von Per Jessen

Daniel Egeberg wrote:

> On Mon, Mar 8, 2010 at 23:21, Skip Evans
> wrote:
>> D'oh!
>>
>> ...and I suppose there is just no way around that, eh?
>>
>> Skip
>=20
> You can use SNI, but it's not supported by all web servers and
> browsers.
>=20
> http://en.wikipedia.org/wiki/Server_Name_Indication
>=20

I don't know about the browser support, but the Apache and SNI
implementation is well described in this article:

http://www.heise.de/kiosk/archiv/ct/2009/23/174_kiosk (download for a
fee)

/Per

--=20
Per Jessen, Zürich (-4.0°C)


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: Anyone good with multiple SSL on Apache?

am 10.03.2010 09:42:53 von Per Jessen

Per Jessen wrote:

> Jochen Schultz wrote:
>=20
>> AFAIK Apache 2 doesn't support virtual hosts for SSL.
>>=20
>=20
> I think it does now - there was even a c't article on the topic not
> long ago. I'll see if I can find it.

http://www.heise.de/kiosk/archiv/ct/2009/23/174_kiosk (download for a
fee)


--=20
Per Jessen, Zürich (-3.9°C)


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Anyone good with multiple SSL on Apache?

am 10.03.2010 09:45:07 von Per Jessen

Per Jessen wrote:

> Daniel Egeberg wrote:
>=20
>> On Mon, Mar 8, 2010 at 23:21, Skip Evans
>> wrote:
>>> D'oh!
>>>
>>> ...and I suppose there is just no way around that, eh?
>>>
>>> Skip
>>=20
>> You can use SNI, but it's not supported by all web servers and
>> browsers.
>>=20
>> http://en.wikipedia.org/wiki/Server_Name_Indication
>>=20
>=20
> I don't know about the browser support, but the Apache and SNI
> implementation is well described in this article:
>=20
> http://www.heise.de/kiosk/archiv/ct/2009/23/174_kiosk (download for =
a
> fee)
>=20

This looks like a pretty decent article too:

http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Vi rtual_Hosts=


According to that, the following browsers support SNI:

* Opera 8.0+
* Firefox 2+
* Internet Explorer 7+ (but not on Windows XP)
* Safari 3.2.1+=20


--=20
Per Jessen, Zürich (-3.9°C)


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re: Anyone good with multiple SSL on Apache?

am 10.03.2010 09:57:12 von jochen schultz

Thanks Per,

well here is a short translation of this article:
http://www.tech-nerds.de/blog/2009/02/apache2-mit-mehreren-s sl-virtualhosts/

If you havn't installed apache2-threaded-dev:
You need the current verion of gnutls (download from gnu.org)
Download, unpack, compile and install as usual. Than call ldconfig.
And than install apache2-threaded-dev:
../configure --with.apxs2=/usr/bin/apxs2
make install
(Which copies apache module (hopefully) to this path:
/usr/lib/apache2/modules)

Than create /etc/apache2/mods-enabled/gnutls.load with following entry:

LoadModule gnutls_module /usr/lib/apache2/modules/mod_gnutls.so

And you have to Create /etc/apache2/mods-enabled/gnutls.conf containing
the following:


GnuTLSCache dbm /var/cache/mod_gnutls_cache
GnuTLSCacheTimeout 300


Well and than every vhost that has to use SSL needs an entry like this:


ServerName www.example.de
GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSCertificateFile /etc/certs/example_server.pem
GnuTLSKeyFile /etc/certs/example_key.pem
DocumentRoot "/var/www/example.de"
....


regards

Jochen Schultz

P.S. I think i will have to give it a try right now.

Per Jessen schrieb:
> Jochen Schultz wrote:
>
>> AFAIK Apache 2 doesn't support virtual hosts for SSL.
>>
>
> I think it does now - there was even a c't article on the topic not long
> ago. I'll see if I can find it.
>
>
> /Per
>

--
Sport Import GmbH - Amtsgericht Oldenburg - Tel: +49-4405-9280-63
Industriestrasse 39 - HRB 1202900 -
26188 Edewecht - GF: Michael Müllmann

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

SSL and multiple host names

am 11.03.2010 22:15:14 von Skip Evans

Hey all,

Just wanted to let you know what I find out about this and how
I solved the problem.

First, name based SSL is, as one person told me, only good for
one IP address in an Apache installation. I'll let Apache
explain it themselves because they are better at it than I am.

"The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the SSL session is a
separate transaction, that takes place before the HTTP session
has begun. The server receives an SSL request on IP address X
and port Y (usually 443). Since the SSL request does not
contain any Host: field, the server has no way to decide which
SSL virtual host to use. Usually, it will just use the first
one it finds, which matches the port and IP address specified."

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

So the solution is that each host name has to have its own IP
address if you're going to do both port 80 for HTTP and port
443 for HTTPS.

You can assign different ports for your different SSL host
names, but that can get messy, and because these are paying
customers for an account on our system it was a no brainer to
go with separate IPs per host name.

So my process now is to leave them on the shared virtual host
name configuration until they require SSL, which our clients
only do when they start processing credit card transactions,
and once they do that they get their own IP and we configure
them accordingly.

So I hope this little nugget helps anyone who comes across
this same issue. And incidentally, if you need to configure
IP-based SSL on FreeBSD I'm you're guy; I'm now a whiz at it :)

Skip

====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php