Re: VHOST and SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Allen
What currently happens is the certificate error and it's point to the first vhost using SSL and what I want to happen is no answer at all from port 443 on that vhost. So I think I will configure an another IP just for SSL! 

Thanks!


Allen Pulsifer wrote:

Hello Sebastien,

Short answer: the host running HTTPS must have a dedicated IP address.

Long answer: when a client connects to the server at port 443, the first
thing they will do is an SSL handshake.  This happens even before the client
sends its HTTPS request with the url and Host header.  Therefore, during
this handshake, the server has no idea what vhost the client wants to
connect to, and the server will send the only certificate it has for that IP
address.  The client will then report a certificate hostname mismatch error.
This again happens even before the client sends the HTTPS request.  If the
client attempts to continue with the connection and sends the HTTPS request
with the URL and Host header, what happens at that point is up to the
server.  What currently happens and what do you want to happen?

Allen


-----Original Message-----
From: Sebastien Roy [mailto:Apache@xxxxxxxxxxxx] Sent: Thursday, June 07, 2007 3:41 PM 
To: users@xxxxxxxxxxxxxxxx
Subject:  VHOST and SSL


Hi folks,
We are running Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8b DAV/2 PHP/5.1.4 and everything is working perfectly except one thing and I'm sure it's a configuration problem. We have some domains that have SSL certificate and some not. My problem is very simple, what i'm doing wrong if every vhost works using https and use the same certificate. What I need is that for exemple https://www.mydomain.com works with mydomain.com certificate but that https://www.myotherdom.com is not answering 'cause the SSL is only applied to mydomain.com!
Right now every vhost is answering to SSL request. The config looks like that: 

NameVirtualHost x.x.x.x:80
NameVirtualHost x.x.x.x:443

<VirtualHost x.x.x.x:443>
    ServerAdmin webmaster@xxxxxxxxxxxx
    ServerName www.mydomain.com
    DocumentRoot /services/mydomain.com
    CustomLog /services/www-logs/mydomain.com.log combined

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
SSLCertificateFile /opt/Apache/2.2.3/conf/www.mydomain.com.crt
SSLCertificateKeyFile /opt/Apache/2.2.3/conf/www.mydomain.com.key
SSLCACertificateFile /opt/Apache/2.2.3/conf/SSLCA.crt

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/Apache/2.2.3/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost x.x.x.x:80>
        ServerAdmin webmaster@xxxxxxxxxxxxxxx
        ServerName www.otherdomain.com
        ServerAlias otherdomain.com
        DocumentRoot /services/otherdomain.com
CustomLog /services/www-logs/otherdomain.com.log combined </VirtualHost> 


And my other question is how to replace

<VirtualHost x.x.x.x:80>
        ServerAdmin webmaster@xxxxxxxxxxxxxxx
        ServerName www.otherdomain.com
        ServerAlias otherdomain.com
        DocumentRoot /services/otherdomain.com
CustomLog /services/www-logs/otherdomain.com.log combined </VirtualHost> 


with something like that:

<VirtualHost x.x.x.x:80>
        ServerAdmin webmaster@$0
        ServerName www.$0
        ServerAlias $0
        DocumentRoot /services/$0
        CustomLog /services/www-logs/$0.log combined </VirtualHost>


Thanks


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux