DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42923>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42923 Summary: vhost certificate NOT overriding cert from the _default:443_ vhost Product: Apache httpd-2 Version: 2.0.52 Platform: Other OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: mod_ssl AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Hi I run into a problem which to do with the handling of SSL certificates which I believe is a bug. In a nutshell, the certificate info from the _default:443_ vhost is "leaking" onto the vhost bound to the machine's primary IP address (ie. eth0). This is not happening on secondary IP addresses, including IP aliases attached to eth0. Now for specifics: I'm using RedHat 4 which uses Apache 2.0.52, running under VMWare ESX 3. The server has 2 NICs, and eth0 has a couple of IP aliases (ie. eth0:1, eth0:2) The default RH config file (/etc/httpd/conf/httpd.conf) has the "Listen 80" option, and uses the "Include" directive to include all the files matching /etc/httpd/conf.d/*.conf. One of these files is /etc/httpd/conf.d/ssl.conf, which defines a virtual host "_default_:443". This vhost references the files /etc/httpd/conf/ssl.key/{server.key and server.crt} (which are supplied by default and identify the host name as "localhost.localdomain"). The ssl.conf file also has a "Listen 443" directive. If I access any of the https sites on any of the machines IP addresses, I get the _default:443_ certificate and the pages which are referenced under the _default:443_ vhost's DocumentRoot. This is what is to be expected. I've edited /etc/httpd/conf/httpd.conf and the last lines are now: Include /etc/local/httpd/conf.d/*.conf Include /etc/local/httpd/conf.d/vhosts/*.conf The /etc/local/httpd/conf.d files are generic settings for the whole server, the "vhosts" sub-directory contains a separate config file for each vhost. The vhost files are pretty standard, along the lines of: <VirtualHost a.b.c.d:443> ServerName myserver.domain.org CustomLog /var/log/httpd/servername-ssl/access_log combined ErrorLog /var/log/httpd/servername-ssl/error_log DocumentRoot /data/vhosts/servername-ssl/html SSLEngine On SSLCertificateKeyFile "/data/vhosts/servername-ssl/conf/myserver.domain.org.key" SSLCertificateFile "/data/vhosts/servername-ssl/conf/myserver.domain.org.crt" Include /data/vhosts/servername-ssl/conf.d/*.conf </VirtualHost> Ok. Here's where it gets weird. If the IP address in the above vhost is the machine's primary address (ie. eth0), then when I access it, I get the "localhost.localdomain" certificate. This seems to have leaked from _default:443_ vhost. However the data served is from the above vhost's DocumentRoot, (not from _default:443_'s). And the request is logged to the log file specified in the above vhost. So Apache is definitely finding this vhost, and using it, except for the certificate data. Now if I change the IP address in vhost to any of the host's other IP addresses, then everything works as it should - it returns the vhost's certificate, uses the vhost's document data and logs to the vhost's log file. I initially had "NameVirtualHost a.b.c.d:443" options in the vhost config files, but I commented them out. I've tried specifying multiple vhosts, listening on eth0 and other addresses, or only on other addresses. I've tried changing the load order and so on, but it hasn't affected this. The results are consistent. The only problem I can find is when the address specified is eth0. I apologise for the length of this report, but this is kind of hard to summarise concisely. cheers /\ndy -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
