User has a non-NVH on 10.137.1.104:9902 (CN=aaa.de)and insists SNI is choosing the SSL configuration from a different VH that (CN=aaa.at) comes earlier and b) has a matching servername.
Deck-checking the impl, it sure looks like it's supposed to start w/ the output of normal ip-based vhosting and only traverse the NVH'es hung off that matched vh. Anyone more familiar with this that can comment to the design or implementation? ---------- Forwarded message ---------- From: Reinhard Vicinus <[email protected]> Date: Sun, May 16, 2010 at 2:46 PM Subject: Re: [us...@httpd] ssl certifikate mismatch To: [email protected] > What's the full apachectl -S look like on that config? > VirtualHost configuration: 10.137.1.104:9903 is a NameVirtualHost default server www.aaa.de (/etc/apache2/sites-enabled/test:19) port 9903 namevhost www.aaa.de (/etc/apache2/sites-enabled/test:19) 10.137.1.104:9901 www.aaa.de (/etc/apache2/sites-enabled/test:2) 10.137.1.104:9902 www.aaa.de (/etc/apache2/sites-enabled/test:10) Syntax OK > What was the local host:port the connection was on? > 10.137.1.104:9902 > > What SNI hostname was sent? > I think that 10.137.1.104 was sent, but i'm not sure if any SNI hostname was sent. I called it like this: openssl s_client -connect 10.137.1.104:9902 > > What certificate was selected? Which certificate do you expect to be > selected, and why? > The certificate www.aaa.at was selected. I would expect that www.aaa.de would be selected because the configuration uses ip based virtual hosting and in the apache documentation it's clearly stated that only the exact IP address and port pair is used for selecting virtual hosts by ip based virtual hosting. Also this configuration worked with older apache versions. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected] -- Eric Covener [email protected]
