Yes, and thanks to Owen for rounding out our, mine and yours, knowledge levels on this. I seem to have forgotten the FDQN is what the browsing public is used to for web traversals. Few fall back to IP's even in times when DNS is borked. I get firewall-1 licesning issues and cert issues confused at times. Hopefully I did not mislead anyone <smile>.
Thanks, Ron DuFresne On Thu, 20 Feb 2003, Jack L. Stone wrote: > Owens' reply is more in line with what I thought. In applying for my Cert, > I provided docs to prove ownership of the www.domain, addresses and some > other stuff. When clicking on the website, the Cert requested must match > the domain requested -- nothing about IPs has ever been involved. > > This is why the post about IPs caught my attention and wondered if I was > behind the times. I'm applying for a renewal now and again it's all about > the www.domain and nothing is entered into the cert about the IP verification. > > Then, there is the question of a wildcard cert which I understand can be > used for several vhosts without setting off alarms on the browser. > > If there is anyone who would be willing to share with me their httpd.conf > setup when using vhosting, I would be forever greatful. Offlist would be > fine if need for privacy. > > Thanks..... > > >> > >>It's IP and/or port based. But, do remember, if port based then one is > >>server only one cert, and the trouble is making sure the cert is > >>constructed in a fashoin such that hostnames are not contained > >>within the CN and such. In this case, and others can correct me if I'm > >>wrong here, you would need to generate the cert on the IP rather then > >>FDQN. And I'm not sure openssl allows such a cert, but others might well > be > >>better clued then I on this <smile>. > > > >A server cert bound to an IP address wouldn't make much sense (not sure if > you can even do it). > > > >The thing to remember is that SSL is about two things - encryption and > authentication. For encryption to work you just need to send the server's > public key to the client - the hostname is not important. However, for the > authentication aspect, it is essential that the the common name in the > server cert matches the FQDN in the client request. Put it another way, you > surf to amazon.com and are about to type in your credit card number but > then you look inside the server cert and see that it is registered to > "shady-character.com". Do you still send your card number? This is why > browsers always complain when you use a test or self signed certificate if > the CN doesn't match the FQDN. > > > >So, while you can have an encrypted session with an untrusted server, in > the real world it doesn't make much sense to do so. Encryption is sending > your money to the bank in an armoured car, authentication is making sure > the armoured car actually goes to the bank. > > > >Rgds, > >Owen Boyle > > > >> > >>Thanks, > >> > >>Ron DuFresne > >> > >>On Wed, 19 Feb 2003, Jack L. Stone wrote: > >> > >>> Please excuse the top post: > >>> > >>> Ian or anyone, are you sure that a wildcard setup won't > >>work....??? Just > >>> getting ready to do a fresh install involvoing vhosts and > >>this will become > >>> an important issue. > >>> > >>> Thanks! > >>> > >>> At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: > >>> >I believe that I read somewhere that you must have a different > >>> >ip address for each ssl virtualhost. > >>> > > >>> >Ian Moon > >>> > > >>> >On Wed, 19 Feb 2003, Boyle Owen wrote: > >>> > > >>> >> >-----Original Message----- > >>> >> >From: Steve Pirk [mailto:[EMAIL PROTECTED]] > >>> >> >Sent: Donnerstag, 6. Februar 2003 02:02 > >>> >> >To: [EMAIL PROTECTED] > >>> >> >Subject: Multiple SSL VirtualHosts in apache > >>> >> > > >>> >> > > >>> >> >I check the mail archives, but could not find a good > >>> >> >answer for this "problem" I am having. > >>> >> > > >>> >> >I am building out a dev environment using apache > >>> >> >on Solaris. The dev environment needs to run under > >>> >> >SSL (to simulate the production environment). I am > >>> >> >starting with 4 virtual servers. They all use the > >>> >> >same cert file, but are on different ports. > >>> >> > > >>> >> >The problem I am running into is that only the "first" > >>> >> >VirtualHost works. Requests to subsequent ports result > >>> >> >in a mod_ssl:error:HTTP-request error. Here is the error_log > >>> >> >entry: > >>> >> > > >>> >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL > >>handshake failed: HTTP > >>> >> >spoken on HTTPS port; trying to send HTML error page > >>(OpenSSL library > >>> >> >error follows) > >>> >> > >>> >> This looks like you typed http://server:7001/ into the > >>browser. You > >>> >> still need to define https even if you have the port number, i.e. > >>> >> https://server:7001/. > >>> >> > >>> >> Can you confirm that if you do this, you still get an error? > >>> >> > >>> >> Rgds, > >>> >> Owen Boyle > >>> >> > >>> >> > >>> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL > >>> >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking > >>> >> >HTTP to HTTPS > >>> >> >port!?] > >>> >> > > >>> >> >This is being used in conjunction with an auth package, > >>> >> >but the redirect after logging in is https:// > >>> >> > > >>> >> >Does anyone knnow of a good way to have multiple > >>> >> >SSL virtual servers on one apache instance? > >>> >> > >>> >> The way you are doing it is fine. You just have a probelm... > >>> >> > >>> >> > > >>> >> >Here is a sample of httpd.conf. In this case, port 7000 > >>> >> >works, but 7001 and 7002 get the mod_ssl error. > >>> >> > > >>> >> > <VirtualHost 172.16.202.25:7000> > >>> >> > DocumentRoot /some/doc/root > >>> >> > SSLEngine on > >>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt > >>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > >>> >> > </VirtualHost> > >>> >> > > >>> >> > <VirtualHost 172.16.202.25:7001> > >>> >> > DocumentRoot /some/doc/root > >>> >> > SSLEngine on > >>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt > >>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > >>> >> > </VirtualHost> > >>> >> > > >>> >> > <VirtualHost 172.16.202.25:7002> > >>> >> > DocumentRoot /some/doc/root > >>> >> > SSLEngine on > >>> >> > SSLCertificateFile /usr/local/apache/certs/my_cert.crt > >>> >> > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > >>> >> > </VirtualHost> > > > Best regards, > Jack L. Stone, > Administrator > > SageOne Net > http://www.sage-one.net > [EMAIL PROTECTED] > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
