Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] [Apache - SuSE 8.2 Pro] 2 different WWW virtual hosts, 2 different certs
  • From: Dominik Sk?adanowski <dominik.skladanowski@xxxxxxxxxxxx>
  • Date: Tue, 08 Jul 2003 13:55:46 +0200
  • Message-id: <3F0AB142.6030901@xxxxxxxxxxxx>
Hello

I tried to startup 2 SSL virtual hosts (every virtual host has it's own
cert) on the same machne with 1 IP. Apparently it looks fine...


AFAIK this configuration is not possible, because vhost (http/1.1 ...)
negotiation is AFTER SSL handshake, and there is no way around this.
You need two ip addresses to configure this properly.


OK. I have 2 IPs (eth0 eth0:1). Both works.

When I connect to https://eth0.ip.address/ I get cert dedicated for name.domain-eth0.com.

When I connect to https://eth0:1.ip.address/ I get cert dedicated for name.domain-eth0:1.com.

Looks good.

But when I connect to https://name.domain-eth0:1.com/ i get pages which should be for https://name.domain-eth0.com/ not for https://name.domain-eth0:1.com/. Cert is for https://name.domain-eth0.com/ too.

DNS records are OK.

I don't know how, but when I came to work today - it started to work :)
Below config is OK.

/etc/httpd.conf (fragment)
------------------------------------------------------------------------
<VirtualHost eth0:1.ip.address:443>

DocumentRoot "/srv/www/domain-eth0:1"
ServerName name.domain-eth0:1.com
ServerAdmin dominik.skladanowski@xxxxxxxxxxxx
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/httpd/domain-eth0:1cert.pem

SSLCertificateKeyFile /etc/httpd/domain-eth0:1req.pem

SSLCACertificatePath /usr/share/ssl/misc/demoCA
SSLCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost eth0.ip.address:443>

DocumentRoot "/srv/www/domain-eth0"
ServerName name.domain-eth0.com
ServerAdmin dominik.skladanowski@xxxxxxxxxxxx
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/httpd/domain-eth0cert.pem

SSLCertificateKeyFile /etc/httpd/domain-eth0req.pem

SSLCACertificatePath /usr/share/ssl/misc/demoCA
SSLCACertificateFile /usr/share/ssl/misc/demoCA/cacert.pem

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
------------------------------------------------------------------------

--
++++++++++++++++++++++++++++++++++++++++++

Dominik Skladanowski

++++++++++++++++++++++++++++++++++++++++++


< Previous Next >