On Mon, 27 Sep 1999, John Huttley wrote:
> Sorry,
>
> This can never occur.
>
> SSL startup happens at the instant the TCP call comes in. This is always
> before
> the httpd 1.1 protocol sends the desired (virtual) server.
>
> So separate SSL hosts must be on separate IP addresses.
>
Perhaps I'm running into something similiar here. I've got two boxen;
IRIX 5.3, Linux 2.0.35,
software on both systems:
apache_1.3.9/
mod_ssl-2.4.2-1.3.9/
openssl-0.9.4/
Software all compiles and tests and installs fine, httpd comes up fine on
both servers. The IRIX box, nova, connects fine and plays nicely with
both port 80 and port 443, but has been setup now to be restricted to only
443 sessions for the testing.
Both machines issued their own custom certificates, and as mentioned, the
nova, IRIX box plays fine. The dual homed box can be accessed by various
names, hostname, domain.com, hostname.domain.com, and these could well be
different depending upon the interface. When brought up, the server on
port 80 runs fine, the server on port 443 will function for a bit, but
then will stop responding with network errors from the inside network as
well as from the outside network. It should be noted that until the first
network error is reported, the server seems to function, though, some
images and links are displayed as broken, some listed as
"internal-icon-insecure". I take it that SSL will perhaps require some
fixing of page references to overcome this on certain html tags, I can
deal with that later... Shortly after startssl or a restart of the
serever on error, it will work so for a few minutes, then result in a
network error and fail to play at all till again restarted. I'm thinking
perhaps the SSL side gets confused dues to the multi-homing and perhaps
how it is routed off lo for the other interfaces on the machine. I have
not taken to pulling packets off the wire or advanced debugging output,
but, the failure seems to come after the handshake and encytrption begins.
I had been wondering if I was going to have to define a 'virtual host' for
each server <wondering how to issue tickets for each calling
name/interfaceset which would seem impossible>, perhaps the key here is to
lock the port 443 side of httpd to a specific interface/calling-name/port
structure? Am I making sense here? Has anyone encountered similiar
troubles?
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
