-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm sure this has been answered, but in case it has not;
You can not virtualize https to more then one hostsite, you have to have
real IP addresses for https.
Thanks,
Ron DuFresne
On Wed, 24 May 2006, Frank van Beek wrote:
Hi all,
This morning we migrated 4 of our websites to a new server. Each of these
websites uses a certificate for https connections. We've got only one Apache
instance running with 4 virtual hosts on 4 different IP-addresses.
This worked fine on the old server. But since the move this morning Apache
sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of
these sites need an additional SSLCertificateChainFile, and this file is send
*correctly* depending on the IP-address. So Apache does see 4 different
VirtualHosts, but somehow ignores the individual SSLCertificateFiles.
Here is the relevant part of httpd.conf for these 4 hosts:
-----
Listen xxx.xxx.198.62:443
NameVirtualHost xxx.xxx.198.62:443
<VirtualHost xxx.xxx.198.62:443>
SSLEngine On
SSLCertificateChainFile chain1
SSLCertificateFile crt1
SSLCertificateKeyFile key1
</VirtualHost>
Listen xxx.xxx.198.61:443
NameVirtualHost xxx.xxx.198.61:443
<VirtualHost xxx.xxx.198.61:443>
SSLEngine On
SSLCertificateChainFile chain2
SSLCertificateFile crt2
SSLCertificateKeyFile key2
</VirtualHost>
Listen xxx.xxx.198.63:443
NameVirtualHost xxx.xxx.198.63:443
<VirtualHost xxx.xxx.198.63:443>
SSLEngine On
SSLCertificateFile crt3
SSLCertificateKeyFile key3
</VirtualHost>
Listen xxx.xxx.198.64:443
NameVirtualHost xxx.xxx.198.64:443
<VirtualHost xxx.xxx.198.64:443>
SSLEngine On
SSLCertificateFile crt4
SSLCertificateKeyFile key4
</VirtualHost>
-----
The old server is still up and running. I've upgraded Apache on that system
to the same version (2.0.58) and copied httpd.conf to that machine. The above
configuration somehow works correctly there.
I've been trying to debug this using "openssl s_client -state -connect" and I
do see some relevant differences, but I've been unable to interpret them.
I know this report lacks a lot of possibly relevant details. But I didn't
want to send the whole httpd.conf and all of the terminal output to this
list.
Is there an obvious mistake in my configuration? Or have I stumbled on a bug
in Apache 2.0.58?
Met groet,
Frank.
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G
ZcxkcdgHNKCofvRN3Hc5miA=
=BwdU
-----END PGP SIGNATURE-----
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
