RE: Request for Input: ApacheCon SSL Training

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Issac, thanks for the info.
I'll read the RFC carefully.
Regarding mod_ssl, a quick look at the FAQ doesn't seem to prove it's
supported: http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts

Could you give more information about potential mod_ssl supporting name
based vhosts? I suppose the FAQ could be out of date...

Thanks,

Olivier

Olivier CHIROUZE
I&0 Infrastructure
Volvo Information Technology
 

> -----Original Message-----
> From: Issac Goldstand [mailto:margol@xxxxxxxxxxxxx] 
> Sent: 19 March 2007 11:15
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re:  Request for Input: ApacheCon SSL Training
> 
> Wildcard support shouldn't have to be official, because there *is*
> name-based virtualhost support for SSL.  It's well documented in RFC
> 2817 and 2818 and according to the cipher list, is supported by most
> recent versions of mod_ssl in Apache 2.x
> 
> If you want to push "how to better allow for name-based SSL", it
> shouldn't be to find more workarounds - it should be about how to get
> the existing standards into more servers and browsers and 
> make their use
> a standard practice.
> 
> Just my $0.02,
>    Issac
> 
> 
> Chirouze Olivier wrote:
> > Hi,
> >
> > I'm sorry I always insist on wildcard certificates being 
> not officialy
> > supported by Apache, but I think that's something to know 
> about. You can
> > save a bunch of dollars a year with this trick ;-)
> >
> > Here's what I recently wrote for a doc, feel free to 
> correct me if I'm
> > wrong:
> >
> > 
> --------------------------------------------------------------
> ----------
> > ------------------------------------
> > Name based virtual hosting is not officially compatible with HTTPS.
> >
> > The reason is:
> > 1)	the request received by Apache is encrypted: only the source and
> > destination IP addresses can be read by Apache (it is in 
> the TCP header,
> > not the encrypted HTTP request)
> > 2)	for this reason, when using name based virtual host, no virtual
> > host can be associated with the HTTPS request
> > 3)	by default, the first SSLCertificateFile directive found is
> > used: the first SSL certificate found is used
> >
> > However, if a single "wildcard" certificate is used by all 
> virtual hosts
> > on the same IP, then:
> > 4)	the first certificate found is correct
> > 5)	the request can be decrypted
> > 6)	the server name can now be read and the right virtual host is
> > found
> > 7)	the rest of the process is similar to normal HTTP
> >
> > A few consequences:
> > -	it only works because all the virtual hosts on the same IP use
> > the same SSL certificate
> > -	because they are virtual hosts with different names (hence the
> > "name based"), the certificate can only be a "wildcard" 
> certificate...
> > -	when using this "unsupported feature" it is very important to
> > make it clear that the virtual hosts use the same certificate => for
> > example, move the "SSLCertificateFile" directive in a file 
> and include
> > it in all your virtual hosts. Then a change in this file 
> will clearly
> > affect all your virtual hosts.
> >
> > Very logically, wildcard certificates aren't officially supported by
> > Apache either.
> >
> > Apache, when starting up, compares the server name of the SSL
> > certificate with the configuration (virtual host) server name.
> > Thus, when using a wildcard certificate, you will get such 
> a warning at
> > startup:
> >
> > [Fri Jul 21 13:40:10 2006] [warn] RSA server certificate 
> CommonName (CN)
> > `*.myserver.com' does NOT match server name!?
> >
> > See:
> > -
> > 
> http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbo
> x/%3C20051
> > 214183548.6B3CC184@xxxxxxxxxxxxxxx%3E
> > -	http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html
> >
> > Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
> >
> > 
> --------------------------------------------------------------
> ----------
> > ------------------------------------
> >
> > I'd be proud if I can help for ApacheCon ;-)
> >
> > Olivier
> >
> > Olivier CHIROUZE
> > I&0 Infrastructure
> > Volvo Information Technology
> >  
> >
> >   
> >> -----Original Message-----
> >> From: Vincent Bray [mailto:noodlet@xxxxxxxxx] 
> >> Sent: 19 March 2007 10:09
> >> To: users@xxxxxxxxxxxxxxxx
> >> Subject: Re:  Request for Input: ApacheCon 
> SSL Training
> >>
> >> On 19/03/07, Sander Temme <sctemme@xxxxxxxxxx> wrote:
> >>     
> >>> Dear list,
> >>>
> >>> As I prepare my training session title "Practical SSL 
> Implementation
> >>> with Apache" for the upcoming ApacheCon EU conference, I 
> would like
> >>> to take a moment and request your feedback.
> >>>       
> >> #apache on freenode commonly sees quesions from people 
> confused by the
> >> various certificate formats and by the openssl command (hardly
> >> surprising considering its man page). Perhaps some coverage of the
> >> difference between pem/der/crt/whatever, and maybe ways to
> >> validate/convert those formats?
> >>
> >> I can't attend the conference but I hope it turns out well, 
> >> good luck :)
> >>
> >> -- 
> >> noodl
> >>
> >> 
> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP 
> >> Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >>
> >>     
> >
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >   
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux