[Bug 55407] New: mod_SSL doesn't consider other vhosts with SNI, when their ServerName is identical

Mon, 12 Aug 2013 18:11:38 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=55407

            Bug ID: 55407
           Summary: mod_SSL doesn't consider other vhosts with SNI, when
                    their ServerName is identical
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]

Hi.

Admittedly I'm not even sure whether this is an issue or not... at least I
couldn't find it documented, though.

It seems that when using SNI with vhosts that have the SAME ServerName but
DIFFERENT ServerAlias(es)... mod_ssl simply ignores the later defined vhosts.

E.g. consider the following:
<VirtualHost 127.0.0.1>
        ServerName a.foo.example.org
        ServerAlias *.pool.example.org

        #using some cert #1 for the above names
</VirtualHos>
<VirtualHost 127.0.0.1>
        ServerName a.foo.example.org
        ServerAlias foo.example.org

        #using some other cert #2 for the above names
</VirtualHos>


Such things can easily happen, e.g. you have pools and round robin DNS names...
and want them to just use different certs (usually from different CAs), e.g.
one from "public" CAs like VeriStrange™ and Thawto™ ;) ... and for the other
names your organisation's own CA, which is however not globally recognised.

With the above setup I'd have expected the following to happen:
If a.foo.example.org is used,... the first defined vhost wins (as in default
vhosts).... and cert #1 is used.

For *.pool.example.org cert #1 is used as well, while for foo.example.org cert
#2 is used.


But Apache _always_ goes into the first vhost and gives me cert #1.


Now a obvious workaround is to simply make the 2nd vhost like this:
<VirtualHost 127.0.0.1>
        ServerName foo.example.org

        #using some other cert #2 for the above names
</VirtualHos>
i.e. changing the ServerName.

This however has the drawback, that the other name is also used in all places
like error pages, etc.
So while I might offer people to use another certificate... I may still want
them to see the "canonical" server name for that other certificate as well,
which in the example above was intended to be a.foo.example.org.


Cheers,
Chris.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to