As a quick hack, I setup the normal vhost to have a certificate 1 (it has to have one defined to even start after all) then patch set_ssl_vhost() to load a different "ctx" certificate 2. I would leak context like crazy, but as a quick proof-of-concept it would tell me if it is feasible.
strcasecmp(servername, "www.example.com")) {
SSL_CTX *ctx;
int status;
found = TRUE;
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "example patch:
loading");
ctx = SSL_CTX_new(SSLv23_method());
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "new ctx %p", ctx);
status = SSL_CTX_use_certificate_file(ctx,
"/etc/certs/www.example.com.pem",
X509_FILETYPE_PEM);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "loaded pem file %d",
status);
if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
return 0;
if (!(sc = mySrvConfig(s)))
return 0;
sc->server->ssl_ctx = ctx;
SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx);
SSL_CTX_set_app_data(ctx, s);
return 1;
}
The last few lines, I have tried a few combinations in my attempt to
make it work. I get the following output however:
[Tue Jan 29 12:23:38 2008] [error] Called set_ssl_vhost with 'www.example.jp'
[Tue Jan 29 12:23:38 2008] [error] example patch: loading [Tue Jan 29 12:23:38 2008] [error] new ctx [Tue Jan 29 12:23:38 2008] [error] loaded pem file 1[Tue Jan 29 12:23:38 2008] [error] Re-negotiation handshake failed: Not accepted by client!?
And Seamonkey says: "the site uses a security protocol that isn't enabled".Am I trying to patch it in too late in the game?, has it already sent part of the vhost certificate1 before the example.com certificate2?
If I create a vhost with example.com, and example.com.pem certificate2, as well as the default vhost, both certificates work and loads correctly. It is my hack that breaks things, I am not sure how much of apache's framework I need to conform to.
Jorgen Lundman wrote:
What is the state with TLS/SNI at the moment? We are exploring offering SSL certificates to users, and in a perfect world we would like to keep our httpd.conf free of provisioning.Apache 2.2.0 OpenSSL-0.9.8e At the moment, all users' vhosts are defined as: <VirtualHost *:80> VirtualDocumentRoot "/export/nfs/www/%-1/%-2.-1/%-2.-2/%-2+/"So a request for http://www.example.com/$path would translate as /export/nfs/www/com/e/l/www.example/$pathIf that directory exists it is served. What would be ideal is if a user had a certificate as: /export/nfs/www/com/e/l/www.example/.certificate Then SSL TLS/SNI would use it and "everything would just work". (Minus Safari, and Konquerer from our current tests) Possible right now ? Possible if I add a little code? Lundy
-- Jorgen Lundman | <lundman@xxxxxxxxxxx> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home) --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|