Problem with Multiple VirtualHosts with SSL using Named Virtual Hosts (SNI)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: Problem with Multiple VirtualHosts with SSL using Named Virtual Hosts (SNI)
I've setup Apache to handle named Virtual Hosts with SSL however there is something I am missing because it doesn't work. This is my first time trying multiple SSL hosting however I have had one SSL domain working for years on this server.

The certificates check out because if I comment out the section for domain1.com then domain2.com works perfectly in the browser, i.e.: no warning message and straight into https://www.domain2.com seamlessly. Of course domain1.com gives the "untrusted certificate" warning since it's the wrong certificate the browser is getting.

When I uncomment the lines for domain1.com then domain1.com will work seamlessly as domain2.com did but now domain2.com will give the "untrusted certificate" warning in the browser so Apache is defaulting the first certificate it finds to serve up the browser.

I can't find anymore to do to make this work so I'm hoping  someone who has made this work could look at my Apache configuration and tell me what I am doing wrong.

I also checked the Apache log and I get this message:

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
                                  
which from what I read means that Apache is properly setup for Named-based Virtual domains with SSL.

The software is:

    openSUSE 11.4
    Apache 2.2.17
    openSSL 1.0.0c
    FireFox 12.0 Linux & Windows, IE7 Vista

I've checked all of the above software versions and as far as I can see it is all new enough to work with SNI.

Any help really appreciated!
Reg

Relevant Apache configuration:

  Listen 443
  NameVirtualHost *:443

  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl
  SSLPassPhraseDialog  builtin
  SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
  SSLSessionCacheTimeout  600
  SSLMutex  default
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin

  <Directory "/srv/www/vhosts/live/m/multi-001/www">
     Options none
     AllowOverride all
     Order allow,deny
     Allow from all
  </Directory>

  # Old stuff we'll probably never use
  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
  </Files>
  <Directory "/srv/www/cgi-bin">
     SSLOptions +StdEnvVars
  </Directory>
  SetEnvIf User-Agent ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0
  #
  # www.domain1.com
  #
  # Live: live/www.domain1.com
  <VirtualHost *:443>
      DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/"
      ServerName domain1.com:443
      ServerAlias www.domain1.com:443
      ServerAdmin webmaster@xxxxxxxxxxx
      <Directory "/srv/www/vhosts/live/m/multi-7/www">
        Options none
        AllowOverride all
        Order allow,deny
        Allow from all
      </Directory>
      SSLEngine on
      SSLCertificateFile /etc/ssl/private/crt/domain1.com.crt
      SSLCertificateKeyFile /etc/ssl/private/key/domain1.com.key
      SSLCertificateChainFile /etc/ssl/private/bundle/domain1.com.crt.bundle
      CustomLog   '/var/log/apache2/d/domain1.com_reqst'   ssl_combined
      ErrorLog    '/var/log/apache2/d/domain1.com_error'
      RewriteLog  '/var/log/apache2/d/domain1.com_rewri'
  </VirtualHost>
  #
  # www.domain2.com
  #
  # Live: live/www.domain2.com
  <VirtualHost *:443>
    DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/"
    ServerName domain2.com:443
    ServerAlias www.domain2.com:443
    ServerAdmin webmaster@xxxxxxxxxxx
    <Directory "/srv/www/vhosts/live/m/multi-7/www">
      Options none
      AllowOverride All
      Order allow,deny
      Allow from all
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/ssl/private/crt/domain2.com.crt
    SSLCertificateKeyFile /etc/ssl/private/key/domain2.com.key
    SSLCertificateChainFile /etc/ssl/private/bundle/domain2.com.crt.bundle
    CustomLog  '/var/log/apache2/d/domain2.com_acces' ssl_combined
    ErrorLog   '/var/log/apache2/d/domain2.com_error'
    RewriteLog '/var/log/apache2/d/domain2.com_rewri'
  </VirtualHost>

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux