Re: SSL/SNI configuration oddity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/06/2010 1:46 PM, Adkins, Marc wrote:
I'm trying to configure multiple named virtual hosts with SSL using SNI.
I believe that I'm running the latest versions of the software, and that
SNI is built into it (as the first line apparently demonstrates):

     [Tue Jun 08 05:19:42 2010] [warn]
         Init: Name-based SSL virtual hosts only work for clients
               with TLS server name indication support (RFC 4366)
     [Tue Jun 08 05:19:42 2010] [info]
         mod_ssl/2.2.14 compiled against
             Server: Apache/2.2.14,
             Library: OpenSSL/0.9.8k
     [Tue Jun 08 05:19:42 2010] [notice]
             Apache/2.2.14 (Ubuntu)
             mod_ssl/2.2.14
             OpenSSL/0.9.8k
             mod_perl/2.0.4
             Perl/v5.10.1
         configured -- resuming normal operations

The following doesn't work right:

     <VirtualHost *:80 *:443>
         ServerName          host.alpha.tld
         DocumentRoot        /var/www/htdocs/alpha

         SSLEngine               on
         SSLCertificateFile      ${WEB_CERT}/star.alpha.crt
         SSLCertificateKeyFile   ${WEB_CERT}/star.alpha.key
         SSLProtocol             all -SSLv2
         ...
     </VirtualHost>

     <VirtualHost *:80 *:443>
         ServerName          host.bravo.tld
         DocumentRoot        /var/www/htdocs/bravo

         SSLEngine               on
         SSLCertificateFile      ${WEB_CERT}/star.bravo.crt
         SSLCertificateKeyFile   ${WEB_CERT}/star.bravo.key
         SSLProtocol             all -SSLv2
         ...
     </VirtualHost>

It's kind of odd.  The HTTPS site will connect just fine.  The HTTP site
just returns my custom error page.  None of my trace statements in the
mod_perl handler fire for the original page, just for the error page.
So mod_perl isn't seeing it, whatever is happening is in the Apache core.

In addition, I get this:

     [Tue Jun 08 17:30:24 2010] [info]
         [client ###.###.###.###] Connection to child 5 established
             (server test.alpha.org:443)
     [Tue Jun 08 17:30:24 2010] [info]
         Seeding PRNG with 648 bytes of entropy
     [Tue Jun 08 17:30:24 2010] [info]
         [client 97.126.76.90] SSL handshake failed:
             HTTP spoken on HTTPS port; trying to send HTML error page
     [Tue Jun 08 17:30:24 2010] [info]
         SSL Library Error: 336027804
             error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:
             http request speaking HTTP to HTTPS port!?

which suggests that I'm connecting on port 443 using HTTP which failed.
But I'm not, I'm going to the HTTP site which should be on port 80.

I've tried this using Firefox 3.6, wget, and telnet to port 80.  It all
happens the same way.  So it isn't the client side, it's definitely in
the server (or its configuration).

When I turn SSLEngine from 'on' to 'optional' the HTTP site works and the
HTTPS site fails with message:

     SSL received a record that exceeded the maximum permissible length.

(not my custom error page).  In the Apache 2.2 documentation for mod_ssl
is stated:

     enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1.
     At this time no web browsers support RFC 2817.

A little online searching suggests that Firefox does not.  I didn't
keep searching after that.

OK, after some trial and error, here's something that WORKS:

     <VirtualHost *:80>
         ServerName          host.alpha.tld:80
         DocumentRoot        /var/www/htdocs/alpha
         ...
     </VirtualHost>

     <VirtualHost *:443>
         ServerName          host.alpha.tld:443
         DocumentRoot        /var/www/htdocs/alpha

         SSLEngine               on
         SSLCertificateFile      ${WEB_CERT}/star.alpha.crt
         SSLCertificateKeyFile   ${WEB_CERT}/star.alpha.key
         SSLProtocol             all -SSLv2
         ...
     </VirtualHost>

Note that these are both the FIRST virtual host, with separate ports,
so there would be two more virtual host blocks.  In each case this means
duplication of the contents of the original virtual host so that there
are two nearly identical ones, which is unpleasant for maintenance.

I can't help thinking that what I want to do is not so weird and that
it should work.  Therefore I think I'm looking for some magic cookie
for the configuration file.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See<URL:http://httpd.apache.org/userslist.html>  for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


Marc,

You can't serve HTTP and HTTPS content from the same vhost.

You can use the Include directive to reduce clutter.

Frank.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux