On 08/06/2010 1:46 PM, Adkins, Marc wrote:
I'm trying to configure multiple named virtual hosts with SSL using SNI. I believe that I'm running the latest versions of the software, and that SNI is built into it (as the first line apparently demonstrates): [Tue Jun 08 05:19:42 2010] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Tue Jun 08 05:19:42 2010] [info] mod_ssl/2.2.14 compiled against Server: Apache/2.2.14, Library: OpenSSL/0.9.8k [Tue Jun 08 05:19:42 2010] [notice] Apache/2.2.14 (Ubuntu) mod_ssl/2.2.14 OpenSSL/0.9.8k mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations The following doesn't work right: <VirtualHost *:80 *:443> ServerName host.alpha.tld DocumentRoot /var/www/htdocs/alpha SSLEngine on SSLCertificateFile ${WEB_CERT}/star.alpha.crt SSLCertificateKeyFile ${WEB_CERT}/star.alpha.key SSLProtocol all -SSLv2 ... </VirtualHost> <VirtualHost *:80 *:443> ServerName host.bravo.tld DocumentRoot /var/www/htdocs/bravo SSLEngine on SSLCertificateFile ${WEB_CERT}/star.bravo.crt SSLCertificateKeyFile ${WEB_CERT}/star.bravo.key SSLProtocol all -SSLv2 ... </VirtualHost> It's kind of odd. The HTTPS site will connect just fine. The HTTP site just returns my custom error page. None of my trace statements in the mod_perl handler fire for the original page, just for the error page. So mod_perl isn't seeing it, whatever is happening is in the Apache core. In addition, I get this: [Tue Jun 08 17:30:24 2010] [info] [client ###.###.###.###] Connection to child 5 established (server test.alpha.org:443) [Tue Jun 08 17:30:24 2010] [info] Seeding PRNG with 648 bytes of entropy [Tue Jun 08 17:30:24 2010] [info] [client 97.126.76.90] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page [Tue Jun 08 17:30:24 2010] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO: http request speaking HTTP to HTTPS port!? which suggests that I'm connecting on port 443 using HTTP which failed. But I'm not, I'm going to the HTTP site which should be on port 80. I've tried this using Firefox 3.6, wget, and telnet to port 80. It all happens the same way. So it isn't the client side, it's definitely in the server (or its configuration). When I turn SSLEngine from 'on' to 'optional' the HTTP site works and the HTTPS site fails with message: SSL received a record that exceeded the maximum permissible length. (not my custom error page). In the Apache 2.2 documentation for mod_ssl is stated: enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1. At this time no web browsers support RFC 2817. A little online searching suggests that Firefox does not. I didn't keep searching after that. OK, after some trial and error, here's something that WORKS: <VirtualHost *:80> ServerName host.alpha.tld:80 DocumentRoot /var/www/htdocs/alpha ... </VirtualHost> <VirtualHost *:443> ServerName host.alpha.tld:443 DocumentRoot /var/www/htdocs/alpha SSLEngine on SSLCertificateFile ${WEB_CERT}/star.alpha.crt SSLCertificateKeyFile ${WEB_CERT}/star.alpha.key SSLProtocol all -SSLv2 ... </VirtualHost> Note that these are both the FIRST virtual host, with separate ports, so there would be two more virtual host blocks. In each case this means duplication of the contents of the original virtual host so that there are two nearly identical ones, which is unpleasant for maintenance. I can't help thinking that what I want to do is not so weird and that it should work. Therefore I think I'm looking for some magic cookie for the configuration file. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See<URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
Marc, You can't serve HTTP and HTTPS content from the same vhost. You can use the Include directive to reduce clutter. Frank. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx