Hi Issac, thanks for the info. I'll read the RFC carefully. Regarding mod_ssl, a quick look at the FAQ doesn't seem to prove it's supported: http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts Could you give more information about potential mod_ssl supporting name based vhosts? I suppose the FAQ could be out of date... Thanks, Olivier Olivier CHIROUZE I&0 Infrastructure Volvo Information Technology > -----Original Message----- > From: Issac Goldstand [mailto:margol@xxxxxxxxxxxxx] > Sent: 19 March 2007 11:15 > To: users@xxxxxxxxxxxxxxxx > Subject: Re: Request for Input: ApacheCon SSL Training > > Wildcard support shouldn't have to be official, because there *is* > name-based virtualhost support for SSL. It's well documented in RFC > 2817 and 2818 and according to the cipher list, is supported by most > recent versions of mod_ssl in Apache 2.x > > If you want to push "how to better allow for name-based SSL", it > shouldn't be to find more workarounds - it should be about how to get > the existing standards into more servers and browsers and > make their use > a standard practice. > > Just my $0.02, > Issac > > > Chirouze Olivier wrote: > > Hi, > > > > I'm sorry I always insist on wildcard certificates being > not officialy > > supported by Apache, but I think that's something to know > about. You can > > save a bunch of dollars a year with this trick ;-) > > > > Here's what I recently wrote for a doc, feel free to > correct me if I'm > > wrong: > > > > > -------------------------------------------------------------- > ---------- > > ------------------------------------ > > Name based virtual hosting is not officially compatible with HTTPS. > > > > The reason is: > > 1) the request received by Apache is encrypted: only the source and > > destination IP addresses can be read by Apache (it is in > the TCP header, > > not the encrypted HTTP request) > > 2) for this reason, when using name based virtual host, no virtual > > host can be associated with the HTTPS request > > 3) by default, the first SSLCertificateFile directive found is > > used: the first SSL certificate found is used > > > > However, if a single "wildcard" certificate is used by all > virtual hosts > > on the same IP, then: > > 4) the first certificate found is correct > > 5) the request can be decrypted > > 6) the server name can now be read and the right virtual host is > > found > > 7) the rest of the process is similar to normal HTTP > > > > A few consequences: > > - it only works because all the virtual hosts on the same IP use > > the same SSL certificate > > - because they are virtual hosts with different names (hence the > > "name based"), the certificate can only be a "wildcard" > certificate... > > - when using this "unsupported feature" it is very important to > > make it clear that the virtual hosts use the same certificate => for > > example, move the "SSLCertificateFile" directive in a file > and include > > it in all your virtual hosts. Then a change in this file > will clearly > > affect all your virtual hosts. > > > > Very logically, wildcard certificates aren't officially supported by > > Apache either. > > > > Apache, when starting up, compares the server name of the SSL > > certificate with the configuration (virtual host) server name. > > Thus, when using a wildcard certificate, you will get such > a warning at > > startup: > > > > [Fri Jul 21 13:40:10 2006] [warn] RSA server certificate > CommonName (CN) > > `*.myserver.com' does NOT match server name!? > > > > See: > > - > > > http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbo > x/%3C20051 > > 214183548.6B3CC184@xxxxxxxxxxxxxxx%3E > > - http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html > > > > Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts > > > > > -------------------------------------------------------------- > ---------- > > ------------------------------------ > > > > I'd be proud if I can help for ApacheCon ;-) > > > > Olivier > > > > Olivier CHIROUZE > > I&0 Infrastructure > > Volvo Information Technology > > > > > > > >> -----Original Message----- > >> From: Vincent Bray [mailto:noodlet@xxxxxxxxx] > >> Sent: 19 March 2007 10:09 > >> To: users@xxxxxxxxxxxxxxxx > >> Subject: Re: Request for Input: ApacheCon > SSL Training > >> > >> On 19/03/07, Sander Temme <sctemme@xxxxxxxxxx> wrote: > >> > >>> Dear list, > >>> > >>> As I prepare my training session title "Practical SSL > Implementation > >>> with Apache" for the upcoming ApacheCon EU conference, I > would like > >>> to take a moment and request your feedback. > >>> > >> #apache on freenode commonly sees quesions from people > confused by the > >> various certificate formats and by the openssl command (hardly > >> surprising considering its man page). Perhaps some coverage of the > >> difference between pem/der/crt/whatever, and maybe ways to > >> validate/convert those formats? > >> > >> I can't attend the conference but I hope it turns out well, > >> good luck :) > >> > >> -- > >> noodl > >> > >> > --------------------------------------------------------------------- > >> The official User-To-User support forum of the Apache HTTP > >> Server Project. > >> See <URL:http://httpd.apache.org/userslist.html> for more info. > >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > >> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > >> > >> > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP > Server Project. > > See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|