On 14/05/10 23:08, Eric Covener wrote:
My problem ist that SNI breaks my in older apaches working configuration which looked like this:On Fri, May 14, 2010 at 4:51 PM, Reinhard Vicinus<r.vicinus@xxxxxxxxxxx> wrote:Hi, is the following behaviour of apache 2.2.15 (debian unstable) a feature or a bug? Listen 10.0.0.1:81 <VirtualHost 10.0.0.1:81> SSLEngine on SSLCertificateFile /etc/apache2/conf/aaa.crt SSLCertificateKeyFile /etc/apache2/conf/aaa.key ServerName aaa </VirtualHost> Listen 10.0.0.2:81 <VirtualHost 10.0.0.2:81> SSLEngine on SSLCertificateFile /etc/apache2/conf/bbb.crt SSLCertificateKeyFile /etc/apache2/conf/bbb.key ServerName aaa </VirtualHost>curl https://bbb:81SSL: certificate subject name 'aaa' does not match target host name 'bbb'curl https://10.0.0.2:81SSL: certificate subject name 'aaa' does not match target host name '10.0.0.2' if i remove or change the ServerName directive so that they differ then it works as expected and certificate bbb is returned. If i switch the order of the virtual host configuration certificate bbb is also used if i query 10.0.0.1:81.SNI finds the right name-based vhost based on the normal name-based mechanisms (ServerName/ServerAlias), then uses the cert it finds there -- it doesn't find the right vhost by looking at your certificates.
Listen 10.137.1.104:9901 <VirtualHost 10.137.1.104:9901> SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key Include conf/www.aaa.misc </VirtualHost> Listen 10.137.1.104:9902 <VirtualHost 10.137.1.104:9902> SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key Include conf/www.aaa.misc </VirtualHost> Listen 10.137.1.104:9903 NameVirtualHost 10.137.1.104:9903 <VirtualHost 10.137.1.104:9903> Include conf/www.aaa.misc </VirtualHost> www.aaa.misc: ServerName www.aaa.de ServerAlias www.aaa.atIn my opinion SNI misuses the ServerName/ServerAlias directives, because in the documentation it is clearly stated: "Unless a NameVirtualHost directive is used for the exact IP address and port pair in the VirtualHost directive, Apache selects the best match only on the basis of the IP address (or wildcard) and port number." (http://httpd.apache.org/docs/2.2/vhosts/details.html) and therefore it's a bug.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|