[Apache - SuSE 8.2 Pro] 2 different WWW virtual hosts, 2 different certs
Hello
I tried to startup 2 SSL virtual hosts (every virtual host has it's own
cert) on the same machne with 1 IP. Apparently it looks fine...
The problem is:
when I connect to https://virtual1.domain.com/ cert is for domain
virtual1.domain.com, but when I connect to https://virtual2.domain.com/
cert is for domain virtual1.domain.com too.
Isn't it strange? Or maybe I made a mistake.
Here is fragment on my /etc/httpd/httpd.conf:
-----------------------------------------------------------------------
NameVirtualHost xxx.xxx.xxx.xxx:443
<VirtualHost virtual1.domain.com:443>
DocumentRoot "/srv/www/virtual1/htdocs"
ServerName virtual1.domain.com
ServerAdmin root@domain.com
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/virtual1cert.pem
SSLCertificateKeyFile /etc/httpd/virtual1req.pem
SSLCACertificatePath /usr/share/ssl/misc/demoCA
SSLCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem
On Jul 7, Dominik Sk?adanowski
I tried to startup 2 SSL virtual hosts (every virtual host has it's own cert) on the same machne with 1 IP. Apparently it looks fine... AFAIK this configuration is not possible, because vhost (http/1.1 ...) negotiation is AFTER SSL handshake, and there is no way around this. You need two ip addresses to configure this properly.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
I tried to startup 2 SSL virtual hosts (every virtual host has it's own cert) on the same machne with 1 IP. Apparently it looks fine...
AFAIK this configuration is not possible, because vhost (http/1.1 ...) negotiation is AFTER SSL handshake, and there is no way around this. You need two ip addresses to configure this properly.
OK. I have 2 IPs (eth0 eth0:1). Both works.
When I connect to https://eth0.ip.address/ I get cert dedicated for
name.domain-eth0.com.
When I connect to https://eth0:1.ip.address/ I get cert dedicated for
name.domain-eth0:1.com.
Looks good.
But when I connect to https://name.domain-eth0:1.com/ i get pages which
should be for https://name.domain-eth0.com/ not for
https://name.domain-eth0:1.com/. Cert is for
https://name.domain-eth0.com/ too.
DNS records are OK.
/etc/httpd.conf (fragment)
------------------------------------------------------------------------
<VirtualHost eth0:1.ip.address:443>
DocumentRoot "/srv/www/domain-eth0:1"
ServerName name.domain-eth0:1.com
ServerAdmin dominik.skladanowski@ch.pw.edu.pl
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/domain-eth0:1cert.pem
SSLCertificateKeyFile /etc/httpd/domain-eth0:1req.pem
SSLCACertificatePath /usr/share/ssl/misc/demoCA
SSLCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem
On Mon, 07 Jul 2003 17:54:13 +0200
Dominik Sk?adanowski
I tried to startup 2 SSL virtual hosts (every virtual host has it's own cert) on the same machne with 1 IP. Apparently it looks fine...
AFAIK this configuration is not possible, because vhost (http/1.1 ...) negotiation is AFTER SSL handshake, and there is no way around this. You need two ip addresses to configure this properly.
OK. I have 2 IPs (eth0 eth0:1). Both works.
When I connect to https://eth0.ip.address/ I get cert dedicated for name.domain-eth0.com.
When I connect to https://eth0:1.ip.address/ I get cert dedicated for name.domain-eth0:1.com.
Looks good.
But when I connect to https://name.domain-eth0:1.com/ i get pages which should be for https://name.domain-eth0.com/ not for https://name.domain-eth0:1.com/. Cert is for https://name.domain-eth0.com/ too.
DNS records are OK.
AFAIK virtual hosting isnt possible with SSL. Regards, Ulf -- Ulf Hofemeier Mail: ulf.hofemeier@suse.de SuSE Linux AG Phone: 02241 - 929 17 - 25 Geschäftsstelle Rhein-Ruhr Fax: 02241 - 31 45 99 Marie-Curie-Str. 11-17 53757 St. Augustin
AFAIK virtual hosting isnt possible with SSL.
Is correct. Think about it: 1) Open a socket. 2) Negotiate SSL over the socket. 3) Send first HTTP GET/POST over SSL. During step two the server simply does not know what virtual domain might later be requested in step 3. So you must tie certificates to sockets; either IP's or ports. Peter
Peter van den Heuvel wrote:
AFAIK virtual hosting isnt possible with SSL.
Is correct. Think about it: 1) Open a socket. 2) Negotiate SSL over the socket. 3) Send first HTTP GET/POST over SSL.
During step two the server simply does not know what virtual domain might later be requested in step 3. So you must tie certificates to sockets; either IP's or ports.
Sorry, it is possible. Tying a cert to an IP doesn't make it impossible. Apache can handle IP-based virtual domains, and can listen on different ports for multiple IP addresses. Linux can easily handle multiple IP addresses on the same NIC. QED, it's possible to host mutliple SSL virtual domains on a single apache daemon, as long as each host has its own unique IP address. I'm doing it! Cheers, Laurie. -- -------------------------------------------------------------------- Laurie Brown laurie@brownowl.com --------------------------------------------------------------------
Ulf Hofemeier wrote: [SNIP]
AFAIK virtual hosting isnt possible with SSL.
Yes it is, because I'm doing it. You do need a separate IP address per cert/host pair, and to be fair, setting it up isn't trivial. http://httpd.apache.org/docs/vhosts/name-based.html "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." Cheers, Laurie. -- -------------------------------------------------------------------- Laurie Brown laurie@brownowl.com --------------------------------------------------------------------
Hi,
AFAIK virtual hosting isnt possible with SSL.
Yes it is, because I'm doing it. You do need a separate IP address per cert/host pair, and to be fair, setting it up isn't trivial.
http://httpd.apache.org/docs/vhosts/name-based.html
"Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol."
To be precise: SSL looks up the IP address, connects it and exchanges certs first. Encryption is done before the "GET" request, so name resolution is not possible for apache at this time - it has to choose the config by IP and port. You may specify different ports for each SSL virtual host as well, instead of using IPs (in most cases they cost money :-) , i. e. <VirtualHost eth0.ip.address:443> ... certs for host 1 </VirtualHost> <VirtualHost eth0.ip.address:4443> ... certs for host 3 </VirtualHost> <VirtualHost eth0.ip.address:44443> ... certs for host 3 </VirtualHost> and using correct links in your html, this works fine for me. Ciao, Dieter --------------------------------------------------------------- Dieter Kirchner Systemadministration BUPNET +49 551 54707 62 D-Goettingen http://www.bupnet.de ---------------------------------------------------------------
Hello
I tried to startup 2 SSL virtual hosts (every virtual host has it's own cert) on the same machne with 1 IP. Apparently it looks fine...
AFAIK this configuration is not possible, because vhost (http/1.1 ...) negotiation is AFTER SSL handshake, and there is no way around this. You need two ip addresses to configure this properly.
OK. I have 2 IPs (eth0 eth0:1). Both works.
When I connect to https://eth0.ip.address/ I get cert dedicated for name.domain-eth0.com.
When I connect to https://eth0:1.ip.address/ I get cert dedicated for name.domain-eth0:1.com.
Looks good.
But when I connect to https://name.domain-eth0:1.com/ i get pages which should be for https://name.domain-eth0.com/ not for https://name.domain-eth0:1.com/. Cert is for https://name.domain-eth0.com/ too.
DNS records are OK.
I don't know how, but when I came to work today - it started to work :) Below config is OK.
/etc/httpd.conf (fragment) ------------------------------------------------------------------------ <VirtualHost eth0:1.ip.address:443>
DocumentRoot "/srv/www/domain-eth0:1" ServerName name.domain-eth0:1.com ServerAdmin dominik.skladanowski@ch.pw.edu.pl ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/domain-eth0:1cert.pem
SSLCertificateKeyFile /etc/httpd/domain-eth0:1req.pem
SSLCACertificatePath /usr/share/ssl/misc/demoCA SSLCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem
SSLOptions +StdEnvVars </Files> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost eth0.ip.address:443>
DocumentRoot "/srv/www/domain-eth0" ServerName name.domain-eth0.com ServerAdmin dominik.skladanowski@ch.pw.edu.pl ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/domain-eth0cert.pem
SSLCertificateKeyFile /etc/httpd/domain-eth0req.pem
SSLCACertificatePath /usr/share/ssl/misc/demoCA SSLCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem
SSLOptions +StdEnvVars </Files> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost> ------------------------------------------------------------------------
-- ++++++++++++++++++++++++++++++++++++++++++ Dominik Skladanowski ++++++++++++++++++++++++++++++++++++++++++
Thanks -- ++++++++++++++++++++++++++++++++++++++++++ Dominik Skladanowski ++++++++++++++++++++++++++++++++++++++++++
Dominik Sk?adanowski wrote:
Hello
I tried to startup 2 SSL virtual hosts (every virtual host has it's own cert) on the same machne with 1 IP. Apparently it looks fine...
The problem is: when I connect to https://virtual1.domain.com/ cert is for domain virtual1.domain.com, but when I connect to https://virtual2.domain.com/ cert is for domain virtual1.domain.com too.
Isn't it strange? Or maybe I made a mistake.
[SNIP] If you want separate/individual certs per virtual host, you need multiple IPs, one per certified host. It's as simple as that. Cheers, Laurie. -- -------------------------------------------------------------------- Laurie Brown laurie@brownowl.com --------------------------------------------------------------------
participants (6)
-
Dieter Kirchner -
Dominik Sk?adanowski -
Laurie Brown -
Markus Gaugusch -
Peter van den Heuvel -
Ulf Hofemeier