top-posting a better summary of the thread: > Listen 10.137.1.104:9901 > <VirtualHost 10.137.1.104:9901> > SSLEngine on > SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt > SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key > Include conf/www.aaa.misc > </VirtualHost> > > Listen 10.137.1.104:9902 > <VirtualHost 10.137.1.104:9902> > SSLEngine on > SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt > SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key > Include conf/www.aaa.misc > </VirtualHost> > > Listen 10.137.1.104:9903 > NameVirtualHost 10.137.1.104:9903 > <VirtualHost 10.137.1.104:9903> > Include conf/www.aaa.misc > </VirtualHost>
> openssl s_client -connect 10.137.1.104:9902 > The certificate www.aaa.at was selected. On Sun, May 16, 2010 at 3:14 PM, Eric Covener <[email protected]> wrote: > User has a non-NVH on 10.137.1.104:9902 (CN=aaa.de)and insists SNI is > choosing the SSL configuration from a different VH that (CN=aaa.at) > comes earlier and b) has a matching servername. > > Deck-checking the impl, it sure looks like it's supposed to start w/ > the output of normal ip-based vhosting and only traverse the NVH'es > hung off that matched vh. > > Anyone more familiar with this that can comment to the design or > implementation? > > > > ---------- Forwarded message ---------- > From: Reinhard Vicinus <[email protected]> > Date: Sun, May 16, 2010 at 2:46 PM > Subject: Re: [us...@httpd] ssl certifikate mismatch > To: [email protected] > > > >> What's the full apachectl -S look like on that config? >> > > VirtualHost configuration: > 10.137.1.104:9903 is a NameVirtualHost > default server www.aaa.de (/etc/apache2/sites-enabled/test:19) > port 9903 namevhost www.aaa.de (/etc/apache2/sites-enabled/test:19) > 10.137.1.104:9901 www.aaa.de (/etc/apache2/sites-enabled/test:2) > 10.137.1.104:9902 www.aaa.de (/etc/apache2/sites-enabled/test:10) > Syntax OK > >> What was the local host:port the connection was on? >> > > 10.137.1.104:9902 >> >> What SNI hostname was sent? >> > > I think that 10.137.1.104 was sent, but i'm not sure if any SNI > hostname was sent. I called it like this: openssl s_client -connect > 10.137.1.104:9902 >> >> What certificate was selected? Which certificate do you expect to be >> selected, and why? >> > > The certificate www.aaa.at was selected. I would expect that > www.aaa.de would be selected because the configuration uses ip based > virtual hosting and in the apache documentation it's clearly stated > that only the exact IP address and port pair is used for selecting > virtual hosts by ip based virtual hosting. > > Also this configuration worked with older apache versions. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [email protected] > " from the digest: [email protected] > For additional commands, e-mail: [email protected] > > > > > -- > Eric Covener > [email protected] > -- Eric Covener [email protected]
