RE: 2 VirtualHosts with 2 Certificates
Everyone knows this question will not stop coming... is it possible to return an error message to the user when restarting apache? Only a suggestion =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of James Barwick Sent: Wednesday, January 08, 2003 4:30 PM To: [EMAIL PROTECTED] Subject: Re: 2 VirtualHosts with 2 Certificates Should have read the MOST FREQUENTLY ASKED FREQUENTLY ASKED QUESTIONS!!! Can't do that. Learn a little more about SSL. It's IP based, not name based. So, you can only have one certificate and one firtual host on 92.35.28.17:443. Sorry...but that's the way it goes. Same question answer number four billion six hundred seventeen million two hundred thirty-four thousand nine hunderd twenty-four! ;) JDB toxshark wrote: i have the apache configured with 2 VirtualHosts on port 443. both VirtualServers have separately CertificateFiles and CertificateKeyFiles. but now if i connect to the VirtualHost2, the Host have the Certificate from the VirtualServer1! both Hosts have now the same Certificate. my httpd.config: ... NameVirtualHost 92.35.28.17:443 VirtualHost 92.35.28.17:443 ServerName domain1.com ServerAlias www.domain1.com DocumentRoot /web1/ SSLEngine on SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key /VirtualHost VirtualHost 92.35.28.17:443 ServerName domain2.com ServerAlias www.domain2.com DocumentRoot /web2/ SSLEngine on SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key /VirtualHost ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: 2 VirtualHosts with 2 Certificates
-Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 9. Januar 2003 15:42 To: [EMAIL PROTECTED] Subject: RE: 2 VirtualHosts with 2 Certificates Everyone knows this question will not stop coming... is it possible to return an error message to the user when restarting apache? The trouble is that it is not really an error. - mod_ssl asks apache for the certificate pertaining to the virtual host defined by the request's TCP/IP attributes (IP and port). - Apache uses its standard ruleset (namely: if you have several VHs on the same IP/port, use the first one) to get the cert. - mod_ssl receives the cert and happily does the SSL negotiation. There is nothing illegal in a config which attempts NBVH with SSL VHs so it is difficult to spot the error. Only a suggestion =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of James Barwick Sent: Wednesday, January 08, 2003 4:30 PM To: [EMAIL PROTECTED] Subject: Re: 2 VirtualHosts with 2 Certificates Should have read the MOST FREQUENTLY ASKED FREQUENTLY ASKED QUESTIONS!!! Can't do that. Learn a little more about SSL. It's IP based, not name based. So, you can only have one certificate and one firtual host on 92.35.28.17:443. Sorry...but that's the way it goes. Same question answer number four billion six hundred seventeen million two hundred thirty-four thousand nine hunderd twenty-four! ;) JDB toxshark wrote: i have the apache configured with 2 VirtualHosts on port 443. both VirtualServers have separately CertificateFiles and CertificateKeyFiles. but now if i connect to the VirtualHost2, the Host have the Certificate from the VirtualServer1! both Hosts have now the same Certificate. my httpd.config: ... NameVirtualHost 92.35.28.17:443 VirtualHost 92.35.28.17:443 ServerName domain1.com ServerAlias www.domain1.com DocumentRoot /web1/ SSLEngine on SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key /VirtualHost VirtualHost 92.35.28.17:443 ServerName domain2.com ServerAlias www.domain2.com DocumentRoot /web2/ SSLEngine on SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key /VirtualHost ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Use TLS 1.0 needed in Internet Explorer
I have set up my web site (www.meierpollard.co.uk) with an InstantSSL security certificate referenced in httpd.conf. When using Netscape Navigator it can be viewed through a secure connection without complaint and the certificate chain can be viewed. When using IE (6) however the certificate authority can not be verified and when I view the details I can see the chain has not been resolved. However, by selecting Use TLS 1.0 in the Advanced preferences I can get it to work. Why would my web site be demanding use of TLS when by default IE doesn't use it? Thanks, John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: building shared libraries with OpenSSL
On Thu, 9 Jan 2003, Tai Do wrote: I'm trying to get Apache2 working on Solaris 8. I have the following error and saw that your answer on the mailing list work. I was wondering if you can help me out with it because I'm not too sure what to do. Syntax error on line 234 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: ld.so.1: /usr/local/apache2/bin/httpd: fatal: relocation error: file /usr/local/apache2/modules/mod_ssl.so: symbol X509_INFO_free: referenced symbol not found. Here is the answer you posted: Yes, it's a fairly frequently asked question. The problem is that you've built a shared mod_ssl against a static OpenSSL (ie, libssl.a and libcrypto.a instead of .so). That won't work because the way the build system currently works, OpenSSL is linked into httpd, not mod_ssl. httpd doesn't need the symbols from the OpenSSL libraries, so the static linker throws them away, meaning they're no longer available when mod_ssl is dynamically linked at runtime. Solution: use a shared OpenSSL. I was wondering how I use a shared OpenSSL. I was wondering if you can point me to where I can find steps to do this or show me how. I'm CC:'ing this to the modssl-users list, since I'm sure somebody else out there probably has the same question. It's kind of annoying, because the shared library support in OpenSSL is experimental, which in practice just means that the Makefile is non-intuitive. I just ran through it again to make sure I got all the steps right... here's what you do. I'm going to assume that you have the static version of OpenSSL installed in /usr/local/lib in this example... just fix the path to match where OpenSSL gets installed on your machine. So let's say you've installed OpenSSL previously, but it's the static version, so you have /usr/local/lib/libssl.a and /usr/local/lib/libcrypto.a . Remove those. Go back to the OpenSSL source directory and do the following: ./config make make build-shared mv libssl.so* /usr/local/lib mv libcrypto.so* /usr/local/lib ldconfig (note: do NOT run make install, or it will remove all your shared libraries and install the static ones, and you'll have to start over again. :-) That ought to do it. I recommend doing a search on your filesystem for other, older copies of libssl* and libcrypto* that might be hanging around, as sometimes copies get put in strange places and you want to be sure to only have one: the most recent. Hope that helps... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
