Re: NameVirtualHost and SSL - possible fix?

Wed, 09 Aug 2000 09:36:59 -0700 

On Wed, Aug 09, 2000 at 10:06:00AM +0200, Owen Boyle wrote:
...
> The recommended solution is to use a different IP address for the SSL
> virtual host. This would obviously solve the problem since the server
> can go immediately to the SSL VirtualHost as soon as it receives a
> request on that IP address - no need to look in the request for a
> ServerName. It then sees it has to start SSL and we're off.
> 
> However, the solution I tried was to define the port numbers explicitly
> when declaring the IP addresses. The config file is then:
> 
> NameVirtualHost 192.168.200.1:80
> 
> <VirtualHost 192.168.200.1:80>
>   ServerName   banana.fruit.com
>   DocumentRoot /home/banana
> </VirtualHost>
> 
> <VirtualHost 192.168.200.1:80>
>   ServerName   kiwi.fruit.com
>   DocumentRoot /home/kiwi
> </VirtualHost>
> 
> <VirtualHost 192.168.200.1:443>
>   ServerName   ssl.fruit.com
>   DocumentRoot /home/ssl
>   SSLEngine    On
> </VirtualHost>
> 
> Now, I guess, the server uses the port number to decide whether to do
> name-based virtual host resolution and if it receives a request on port
> 443 it does not attempt NBVH.

So what do you want to achieve? The problem with name based hosting is
that the certificate name does not necessarily meet the CN in the
certificate.
If I connect to "https://ssl.fruit.com/", everything will be fine
(I presume the certificate to be issued for CN=ssl.fruit.com).
Now, I will connect to "https://banana.fruit.com", because I want to
make a deal with the banana department and ... I will get the error
message, because the name obtained in the cert "ssl.fruit.com" does not
match the host I wanted to connect to "banana.fruit.com".

_This_ is the actual problem with VBNH that is not solved by your
approach.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to