Re: Apache sends wrong certificate
Hi Cliff, Cliff Woolley wrote: You're doing IP-based virtual hosting, not named-based virtual hosting. (You only have one virtual host per IP/port combination.) Thus you don't need NameVirtualHost. If you scroll down in the page you gave, you'll see an example of IP-based virtual hosting, and note that it does *not* include any NameVirtualHost directives. Hope this helps, Thanks for the explanation. I *think* I understand the difference now. :) The next time we add a new IP-address I'll check if Apache ignores invalid DNS PTR records if I remove the NameVirtualHost. This might take a while though before this happens. I'll report my findings back to this list for documentation purposes. Met groet, Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
Hi Ron, R. DuFresne wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sure this has been answered, but in case it has not; You can not virtualize https to more then one hostsite, you have to have real IP addresses for https. Thanks for your reply. I understand your confusion. In my post I masked out the first two numbers of the IP-addresses. But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned out (see a previous post), our problem was caused by a misconfigured reverse DNS. Frank. WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com Thanks, Ron DuFresne On Wed, 24 May 2006, Frank van Beek wrote: Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. This worked fine on the old server. But since the move this morning Apache sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of these sites need an additional SSLCertificateChainFile, and this file is send *correctly* depending on the IP-address. So Apache does see 4 different VirtualHosts, but somehow ignores the individual SSLCertificateFiles. Here is the relevant part of httpd.conf for these 4 hosts: - Listen xxx.xxx.198.62:443 NameVirtualHost xxx.xxx.198.62:443 VirtualHost xxx.xxx.198.62:443 SSLEngine On SSLCertificateChainFile chain1 SSLCertificateFile crt1 SSLCertificateKeyFilekey1 /VirtualHost Listen xxx.xxx.198.61:443 NameVirtualHost xxx.xxx.198.61:443 VirtualHost xxx.xxx.198.61:443 SSLEngine On SSLCertificateChainFile chain2 SSLCertificateFile crt2 SSLCertificateKeyFilekey2 /VirtualHost Listen xxx.xxx.198.63:443 NameVirtualHost xxx.xxx.198.63:443 VirtualHost xxx.xxx.198.63:443 SSLEngine On SSLCertificateFile crt3 SSLCertificateKeyFilekey3 /VirtualHost Listen xxx.xxx.198.64:443 NameVirtualHost xxx.xxx.198.64:443 VirtualHost xxx.xxx.198.64:443 SSLEngine On SSLCertificateFile crt4 SSLCertificateKeyFilekey4 /VirtualHost - The old server is still up and running. I've upgraded Apache on that system to the same version (2.0.58) and copied httpd.conf to that machine. The above configuration somehow works correctly there. I've been trying to debug this using openssl s_client -state -connect and I do see some relevant differences, but I've been unable to interpret them. I know this report lacks a lot of possibly relevant details. But I didn't want to send the whole httpd.conf and all of the terminal output to this list. Is there an obvious mistake in my configuration? Or have I stumbled on a bug in Apache 2.0.58? Met groet, Frank. - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G ZcxkcdgHNKCofvRN3Hc5miA= =BwdU -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote: I understand your confusion. In my post I masked out the first twonumbers of the IP-addresses.But we do have 4 VirtualHosts on 4 different IP-addresses. As it turnedout (see a previous post), our problem was caused by a misconfigured reverse DNS. I'm glad you figured it out, but it's still a little bit unclear to me why the DNS should have had any effect. The NameVirtualHost directives in the config snippet you posted are extraneous and should be removed. I wonder if you'd gotten rid of those if the problem would have gone away regardless of DNS. Hmm... --Cliff
Re: Apache sends wrong certificate
Hey Cliff, Cliff Woolley wrote: On 5/30/06, *Frank van Beek* wrote: I understand your confusion. In my post I masked out the first two numbers of the IP-addresses. But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned out (see a previous post), our problem was caused by a misconfigured reverse DNS. I'm glad you figured it out, but it's still a little bit unclear to me why the DNS should have had any effect. The NameVirtualHost directives in the config snippet you posted are extraneous and should be removed. I wonder if you'd gotten rid of those if the problem would have gone away regardless of DNS. I checked a couple of pages on VirtualHosts in the Apache documentation. As far as I can see in the examples in most of them there a NameVirtualHost for every VirtualHost, even when it's running on a different port. See the examples here: http://httpd.apache.org/docs/2.0/vhosts/examples.html I don't know enough about Apache configuration to know when you need both, so could you please explain me why in our configuration the NameVirtualHost directives are extraneous? Met groet, Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote: I checked a couple of pages on VirtualHosts in the Apache documentation.As far as I can see in the examples in most of them there aNameVirtualHost for every VirtualHost, even when it's running on adifferent port. See the examples here: http://httpd.apache.org/docs/2.0/vhosts/examples.htmlAll of the examples on that page that use NameVirtualHost are actually *doing* name-based virtual hosting, which is where you have multiple virtual hosts with the same IP/port combination (thus the only thing that distinguishes them is their name, as given in the Host: HTTP header). You're doing IP-based virtual hosting, not named-based virtual hosting. (You only have one virtual host per IP/port combination.) Thus you don't need NameVirtualHost. If you scroll down in the page you gave, you'll see an example of IP-based virtual hosting, and note that it does *not* include any NameVirtualHost directives. Hope this helps,--Cliff
Re: Apache sends wrong certificate
Hi all, Frank van Beek wrote: Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. Today we discovered the cause of our problems. Our new hosting provider had invalid reverse DNS records: - % dig -x xxx.xxx.198.61 -- snip -- ;; ANSWER SECTION: 61.198.xxx.xxx.in-addr.arpa. 900 IN PTR . -- snip -- - After they changed their DNS, all we had to do was restart Apache to make it function correctly. With many thanks to ssh on Mac OS X which reported: Nasty PTR record is set up for xxx.xxx.198.61, ignoring. That's what gave us a clue that it might be reverse DNS related. Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sure this has been answered, but in case it has not; You can not virtualize https to more then one hostsite, you have to have real IP addresses for https. Thanks, Ron DuFresne On Wed, 24 May 2006, Frank van Beek wrote: Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. This worked fine on the old server. But since the move this morning Apache sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of these sites need an additional SSLCertificateChainFile, and this file is send *correctly* depending on the IP-address. So Apache does see 4 different VirtualHosts, but somehow ignores the individual SSLCertificateFiles. Here is the relevant part of httpd.conf for these 4 hosts: - Listen xxx.xxx.198.62:443 NameVirtualHost xxx.xxx.198.62:443 VirtualHost xxx.xxx.198.62:443 SSLEngine On SSLCertificateChainFile chain1 SSLCertificateFile crt1 SSLCertificateKeyFilekey1 /VirtualHost Listen xxx.xxx.198.61:443 NameVirtualHost xxx.xxx.198.61:443 VirtualHost xxx.xxx.198.61:443 SSLEngine On SSLCertificateChainFile chain2 SSLCertificateFile crt2 SSLCertificateKeyFilekey2 /VirtualHost Listen xxx.xxx.198.63:443 NameVirtualHost xxx.xxx.198.63:443 VirtualHost xxx.xxx.198.63:443 SSLEngine On SSLCertificateFile crt3 SSLCertificateKeyFilekey3 /VirtualHost Listen xxx.xxx.198.64:443 NameVirtualHost xxx.xxx.198.64:443 VirtualHost xxx.xxx.198.64:443 SSLEngine On SSLCertificateFile crt4 SSLCertificateKeyFilekey4 /VirtualHost - The old server is still up and running. I've upgraded Apache on that system to the same version (2.0.58) and copied httpd.conf to that machine. The above configuration somehow works correctly there. I've been trying to debug this using openssl s_client -state -connect and I do see some relevant differences, but I've been unable to interpret them. I know this report lacks a lot of possibly relevant details. But I didn't want to send the whole httpd.conf and all of the terminal output to this list. Is there an obvious mistake in my configuration? Or have I stumbled on a bug in Apache 2.0.58? Met groet, Frank. - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G ZcxkcdgHNKCofvRN3Hc5miA= =BwdU -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache sends wrong certificate
Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. This worked fine on the old server. But since the move this morning Apache sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of these sites need an additional SSLCertificateChainFile, and this file is send *correctly* depending on the IP-address. So Apache does see 4 different VirtualHosts, but somehow ignores the individual SSLCertificateFiles. Here is the relevant part of httpd.conf for these 4 hosts: - Listen xxx.xxx.198.62:443 NameVirtualHost xxx.xxx.198.62:443 VirtualHost xxx.xxx.198.62:443 SSLEngine On SSLCertificateChainFile chain1 SSLCertificateFile crt1 SSLCertificateKeyFilekey1 /VirtualHost Listen xxx.xxx.198.61:443 NameVirtualHost xxx.xxx.198.61:443 VirtualHost xxx.xxx.198.61:443 SSLEngine On SSLCertificateChainFile chain2 SSLCertificateFile crt2 SSLCertificateKeyFilekey2 /VirtualHost Listen xxx.xxx.198.63:443 NameVirtualHost xxx.xxx.198.63:443 VirtualHost xxx.xxx.198.63:443 SSLEngine On SSLCertificateFile crt3 SSLCertificateKeyFilekey3 /VirtualHost Listen xxx.xxx.198.64:443 NameVirtualHost xxx.xxx.198.64:443 VirtualHost xxx.xxx.198.64:443 SSLEngine On SSLCertificateFile crt4 SSLCertificateKeyFilekey4 /VirtualHost - The old server is still up and running. I've upgraded Apache on that system to the same version (2.0.58) and copied httpd.conf to that machine. The above configuration somehow works correctly there. I've been trying to debug this using openssl s_client -state -connect and I do see some relevant differences, but I've been unable to interpret them. I know this report lacks a lot of possibly relevant details. But I didn't want to send the whole httpd.conf and all of the terminal output to this list. Is there an obvious mistake in my configuration? Or have I stumbled on a bug in Apache 2.0.58? Met groet, Frank. -- Frank van Beek WAXTRAPP BV van Diemenstraat 366 1013CR Amsterdam The Netherlands Phone: +31 (0)20 672 2308 Fax:+31 (0)20 672 2488 http://www.waxtrapp.com [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
