On Sat, Nov 21, 2009 at 11:54 AM, Florent Georges <darkman_spam@xxxxxxxx> wrote: > Hi, > > I have one server one which I run two virtual hosts, say site1 > and site2. They run very well for HTTP stuff for months. Site1 > has also HTTPS access configured. I am trying to add HTTPS > support for site2 as well. So I created a new SSL certificate, > and added a new file in sites-available/: > > > cat /etc/apache2/sites-available/site1-https > NameVirtualHost *:443 > <VirtualHost *:443> > Servername www.site1.com > SSLEngine on > SSLCertificateFile site.crt > SSLCertificateKeyFile site1.key > DocumentRoot /var/site1/htsdocs/ > </VirtualHost> > > > cat /etc/apache2/sites-available/site2-https > NameVirtualHost *:443 > <VirtualHost *:443> > Servername www.site2.com > SSLEngine on > SSLCertificateFile site2.crt > SSLCertificateKeyFile site2.key > DocumentRoot /var/site2/htsdocs/ > </VirtualHost> > > and enabled the second HTTPS web site with a2ensite. > > The problem is when I try to access site1 over HTTPS, it > provides me the certificate for site2... > > I double-checked the documentation with my very low Apache > skills, but did not found anything about that problem. Did I > miss something? > > Regards, > > -- > Florent Georges > [snip] Only the latest Apache (2.2.14) and OpenSSL built with the tlsextensions options support this. It's case SNI (Server Name Identification), where the client can send the fully qualified domain name as part of the handshake process. Without this, the server has no way knowing which vhost the client is looking for until the certificate has already been presented (because the Host: HTTP request header is part of the encrypted payload, which can't be sent until the client has the cert), so it can't choose SSL options (including the cert file) based on host name. Also, not every client support SNI, unfortunately. I think most modern browsers do, but notably MSIE before 7 or any version running on an OS earlier than Vista do not (if I'm remembering correctly). Those clients will always see the same cert no matter what name based vhost they go to. It's a bummer, but a well known limitation of SSL. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|