Hi, I'm sorry I always insist on wildcard certificates being not officialy supported by Apache, but I think that's something to know about. You can save a bunch of dollars a year with this trick ;-) Here's what I recently wrote for a doc, feel free to correct me if I'm wrong: ------------------------------------------------------------------------ ------------------------------------ Name based virtual hosting is not officially compatible with HTTPS. The reason is: 1) the request received by Apache is encrypted: only the source and destination IP addresses can be read by Apache (it is in the TCP header, not the encrypted HTTP request) 2) for this reason, when using name based virtual host, no virtual host can be associated with the HTTPS request 3) by default, the first SSLCertificateFile directive found is used: the first SSL certificate found is used However, if a single "wildcard" certificate is used by all virtual hosts on the same IP, then: 4) the first certificate found is correct 5) the request can be decrypted 6) the server name can now be read and the right virtual host is found 7) the rest of the process is similar to normal HTTP A few consequences: - it only works because all the virtual hosts on the same IP use the same SSL certificate - because they are virtual hosts with different names (hence the "name based"), the certificate can only be a "wildcard" certificate... - when using this "unsupported feature" it is very important to make it clear that the virtual hosts use the same certificate => for example, move the "SSLCertificateFile" directive in a file and include it in all your virtual hosts. Then a change in this file will clearly affect all your virtual hosts. Very logically, wildcard certificates aren't officially supported by Apache either. Apache, when starting up, compares the server name of the SSL certificate with the configuration (virtual host) server name. Thus, when using a wildcard certificate, you will get such a warning at startup: [Fri Jul 21 13:40:10 2006] [warn] RSA server certificate CommonName (CN) `*.myserver.com' does NOT match server name!? See: - http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbox/%3C20051 214183548.6B3CC184@xxxxxxxxxxxxxxx%3E - http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts ------------------------------------------------------------------------ ------------------------------------ I'd be proud if I can help for ApacheCon ;-) Olivier Olivier CHIROUZE I&0 Infrastructure Volvo Information Technology > -----Original Message----- > From: Vincent Bray [mailto:noodlet@xxxxxxxxx] > Sent: 19 March 2007 10:09 > To: users@xxxxxxxxxxxxxxxx > Subject: Re: Request for Input: ApacheCon SSL Training > > On 19/03/07, Sander Temme <sctemme@xxxxxxxxxx> wrote: > > Dear list, > > > > As I prepare my training session title "Practical SSL Implementation > > with Apache" for the upcoming ApacheCon EU conference, I would like > > to take a moment and request your feedback. > > #apache on freenode commonly sees quesions from people confused by the > various certificate formats and by the openssl command (hardly > surprising considering its man page). Perhaps some coverage of the > difference between pem/der/crt/whatever, and maybe ways to > validate/convert those formats? > > I can't attend the conference but I hope it turns out well, > good luck :) > > -- > noodl > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|