I have found a problem with mod_nss that appears to have been reported in 2010, but I cannot find any further reference to it. The 2010 reference contains a comment saying that it is an issue and needs to be fixed. I have not been able to find any issue tracking system for mod_nss and so haven't been able to check on the status.
The problem is that mod_nss does not appear to respond with the correct certificate when multiple name virtual servers are configured on an instance of Apache. It always responds with the certificate of the first name virtual server defined. It does process the other sites' configurations because it complains if certificates with the aliases used are not in the database. This would not be an issue (for me) if mod_ssl could be used for virtual servers other than the IPA server, but they cannot co-exist. If you try to mix them, mod_ssl complains that port 443 is being used for the IPA server, but it is not SSL aware. I suppose it would be possible to reconfigure the IPA name virtual server to use mod_ssl bu exporting the certificate, but I really don't like to muck around with the directory server configuration more than is necessary as it is vital that it remains stable and secure. Could anyone enlighten me as to whether this issue is being looked at or even if it is fixed and the CentOS people (CentOS 6.3 standard repositories all packages up to date as of yesterday) just aren't supplying a new enough version of mod_nss. At the moment, I can use my SSL secured sites as the encryption works okay, but I cannot open them up as they report the wrong host name in the certificate. Regards Simon Williams
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users