Re: Virtual Hosts and SSL Puzzler (Apache Users)

Re: Virtual Hosts and SSL Puzzler

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: <users@xxxxxxxxxxxxxxxx>

Subject: Re: Virtual Hosts and SSL Puzzler

From: "Chris Gordon" <CGordon@xxxxxxxxx>

Date: Tue, 22 Oct 2013 12:20:13 -0400

In-reply-to: <52668D93.5090302@bellsouth.net>

Reply-to: users@xxxxxxxxxxxxxxxx

Thank you for the enlightenment Yehuda!

I must not be meeting one of the SNI prerequisites (maybe LD_LIBRARY_PATH, maybe TLS Extensions) because I get a warning message on startup about using *<port> and Name Based Hosting with SSL. I have a secure workaround so as long as it works and security is not compromised I'm OK with the warning since it's only temporary for me.

The // for finding appropriate protocol is also a great pointer. I'm curious if that will work with a mod_rewrite rule and if placement in the conf file makes a difference, but a quick test will tell me.

--Chris

>>> Dennis Putnam <dap1@xxxxxxxxxxxxx> 10/22/2013 10:37 AM >>>

On 10/22/2013 10:03 AM, Yehuda Katz wrote:

If the sites you are referencing allow you to access them over https, that will solve the problem.
My prefered solution is to omit the http: altogether. If a url just starts with "//example.com/rest/of/url", the browser will use the appropriate protocol automatically.

- Y

On Tue, Oct 22, 2013 at 9:59 AM, Dennis Putnam <dap1@xxxxxxxxxxxxx> wrote:

On 10/22/2013 9:44 AM, Yehuda Katz wrote:

On Tue, Oct 22, 2013 at 9:39 AM, Dennis Putnam <dap1@xxxxxxxxxxxxx> wrote:

Thanks. That might make more sense (at least to me). After more reading,
I am not sure that I don't have SNI capable version of httpd already
installed (how do I tell?). The pages that work are very simple but the
one that doesn't is complex and has lots of graphics. If that is the
case, why are they not encrypted like everything else (assuming they are
not referenced on a different server)?

As I mentioned, if you don't have SNI, then you should see major warnings from the browser that something is wrong when you go to any site but the first one.

As far as finding the offending image: Go to the page in your browser, right click on the page and choose view source (or a similar option). Then search in the source for http://

That should let you find which images are not secure.

If the URLs are publicly accessible, post them here if you want someone to have a specific look (or email me privately if you don't want them to be public and I will try to have a look).

- Y

Ah ha! You hit it. There are references to social media on the page that use http (Facebook, LinkedIn and Twitter). Since they reference a different site will just changing it to https be sufficient or is there some other workaround? Thanks.

Thanks. I'll give that a try.

The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited.