Re: TLS 1.1 and 1.2 and SNI support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, May 23, 2016 at 5:31 PM, Eric Covener <covener@xxxxxxxxx> wrote:
On Mon, May 23, 2016 at 10:27 AM, linux.il <linux.il@xxxxxxxxx> wrote:
> I'm using  the same "curl" and "wget" for testing. As far as I disable TLS
> v1.0, I get "curl: (35) SSL connect error" and
> "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match
> requested host name “my-vhost-name”"
> in wget.
> BTW, similar issue reported here
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure

Some context re:  your vhost configuration and certificate names would
probably help here.
Sure, and thank you again.

1) httpd -S:
*:443                  is a NameVirtualHost
         default server example.co.uk (/etc/httpd/conf.d/25-example.co.uk-https.conf:6)
         port 443 namevhost example.co.uk (/etc/httpd/conf.d/25-example.co.uk-https.conf:6)
                 alias www.example.co.uk
         port 443 namevhost example.com (/etc/httpd/conf.d/25-example.com-https.conf:6)
                 alias www.example.com


2)  example.co.uk vhost:
SSLEngine on
  SSLCertificateFile      "/etc/httpd/certs/uknew/example.co.uk.crt"
  SSLCertificateKeyFile   "/etc/httpd/certs/uknew/example.co.uk.key"
  SSLCertificateChainFile "/etc/httpd/certs/uknew/uk_chained"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLProtocol             All -SSLv2 -SSLv3 -TLSv1

3) example.com vhost
SSLEngine on
  SSLCertificateFile      "/etc/httpd/certs/new/EXAMPLE.com.crt"
  SSLCertificateKeyFile   "/etc/httpd/certs/new/server.key"
  SSLCertificateChainFile "/etc/httpd/certs/new/combundle.crt"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLProtocol             All -SSLv2 -SSLv3 -TLSv1
  SSLCipherSuite          HIGH:MEDIUM:!aNULL:!MD5:!RC4

Issue:
when default ssl vhost  config includes "-TLSv1" we have:

wget   https://example.com
--2016-05-23 17:40:29--  https://example.com/
Resolving example.com... x.x.x.x
Connecting to example.com|x.x.x.x|:443... connected.
ERROR: certificate common name “www.example.co.uk” doesn’t match requested host name “example.com”.
To connect to example.com insecurely, use ‘--no-check-certificate’.






[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux