Wildcard support shouldn't have to be official, because there *is* name-based virtualhost support for SSL. It's well documented in RFC 2817 and 2818 and according to the cipher list, is supported by most recent versions of mod_ssl in Apache 2.x If you want to push "how to better allow for name-based SSL", it shouldn't be to find more workarounds - it should be about how to get the existing standards into more servers and browsers and make their use a standard practice. Just my $0.02, Issac Chirouze Olivier wrote: > Hi, > > I'm sorry I always insist on wildcard certificates being not officialy > supported by Apache, but I think that's something to know about. You can > save a bunch of dollars a year with this trick ;-) > > Here's what I recently wrote for a doc, feel free to correct me if I'm > wrong: > > ------------------------------------------------------------------------ > ------------------------------------ > Name based virtual hosting is not officially compatible with HTTPS. > > The reason is: > 1) the request received by Apache is encrypted: only the source and > destination IP addresses can be read by Apache (it is in the TCP header, > not the encrypted HTTP request) > 2) for this reason, when using name based virtual host, no virtual > host can be associated with the HTTPS request > 3) by default, the first SSLCertificateFile directive found is > used: the first SSL certificate found is used > > However, if a single "wildcard" certificate is used by all virtual hosts > on the same IP, then: > 4) the first certificate found is correct > 5) the request can be decrypted > 6) the server name can now be read and the right virtual host is > found > 7) the rest of the process is similar to normal HTTP > > A few consequences: > - it only works because all the virtual hosts on the same IP use > the same SSL certificate > - because they are virtual hosts with different names (hence the > "name based"), the certificate can only be a "wildcard" certificate... > - when using this "unsupported feature" it is very important to > make it clear that the virtual hosts use the same certificate => for > example, move the "SSLCertificateFile" directive in a file and include > it in all your virtual hosts. Then a change in this file will clearly > affect all your virtual hosts. > > Very logically, wildcard certificates aren't officially supported by > Apache either. > > Apache, when starting up, compares the server name of the SSL > certificate with the configuration (virtual host) server name. > Thus, when using a wildcard certificate, you will get such a warning at > startup: > > [Fri Jul 21 13:40:10 2006] [warn] RSA server certificate CommonName (CN) > `*.myserver.com' does NOT match server name!? > > See: > - > http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbox/%3C20051 > 214183548.6B3CC184@xxxxxxxxxxxxxxx%3E > - http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html > > Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts > > ------------------------------------------------------------------------ > ------------------------------------ > > I'd be proud if I can help for ApacheCon ;-) > > Olivier > > Olivier CHIROUZE > I&0 Infrastructure > Volvo Information Technology > > > >> -----Original Message----- >> From: Vincent Bray [mailto:noodlet@xxxxxxxxx] >> Sent: 19 March 2007 10:09 >> To: users@xxxxxxxxxxxxxxxx >> Subject: Re: Request for Input: ApacheCon SSL Training >> >> On 19/03/07, Sander Temme <sctemme@xxxxxxxxxx> wrote: >> >>> Dear list, >>> >>> As I prepare my training session title "Practical SSL Implementation >>> with Apache" for the upcoming ApacheCon EU conference, I would like >>> to take a moment and request your feedback. >>> >> #apache on freenode commonly sees quesions from people confused by the >> various certificate formats and by the openssl command (hardly >> surprising considering its man page). Perhaps some coverage of the >> difference between pem/der/crt/whatever, and maybe ways to >> validate/convert those formats? >> >> I can't attend the conference but I hope it turns out well, >> good luck :) >> >> -- >> noodl >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP >> Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> >> > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|