On 16-07-2010 15:31, Richard Buskirk wrote:
I sent this situation off to the help team but maybe it is either that stupid
or that hard.
I have installed 2 SSL Certs on my server.
I am using a naming convention for apache configuration for each cert.
Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14
OpenSSL/0.9.8k PHP/5.2.11
httpd-vhost.conf
___________________________
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "C:\\certs\\ServerA.crt"
SSLCertificateKeyFile "C:\\certs\\ ServerA.key"
ServerName www. ServerA.com
SSLOptions StrictRequire
SSLProtocol all -SSLv2
ServerAdmin notice@ ServerA.com
DocumentRoot "C:\\Program Files (x86)\\Apache Software
Foundation\\Apache2.2\\www\\html\\ ServerA "
ErrorLog "C:\\Program Files (x86)\\Apache Software
Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log"
CustomLog "logs/access-ssl-www. ServerA.com" common
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile "C:\\certs\\ ServerB.crt"
SSLCertificateKeyFile "C:\\certs\\ ServerB.key"
ServerName www. ServerB.com
SSLOptions StrictRequire
SSLProtocol all -SSLv2
ServerAdmin notice@ ServerB.com
DocumentRoot "C:\\Program Files (x86)\\Apache Software
Foundation\\Apache2.2\\www\\html\\ ServerB "
ErrorLog "C:\\Program Files (x86)\\Apache Software
Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log"
CustomLog "logs/access-ssl-www. ServerB.com" common
</VirtualHost>
Here is where my senerio goes very weird. A computer with windows 7 browses to
both location and everything is perfect.
A computer with windows XP browses to the siteA no issue. But if they go to
siteB, the cert for Site A is used on SiteB's load every time no matter what
computer they are on.
The siteB does show the proper site but the cert is the wrong cert. This fails
in Firefox, IE, Safari, Google Chrome on windows XP.
Any suggestions ?
Does this make sense what I am saying?
It looks like you are trying to serve up two different certificates on
the same IP address (all addresses of your sever=*) and port (443),
depending on the DNS name the browser used to locate the server.
This is a very recent extension to the SSL/TLS protocols and is probably
only implemented by a few very new browsers, such as the IE version in
Windows 7. Older browsers not implementing this recent
standard just have no way of telling the server which certificate they
want, and so the server uses the first one in its configuration.
There are two standard solutions to this problem (until most of the
worlds SSL clients implement the extensions):
A) Give your server two IP addresses (such as 10.0.0.1 and 10.0.0.2),
make www.ServerA.com point to 10.0.0.1 and www.ServerB.com point to
10.0.0.2. Finally, in your Apache config, specify those addresses in
place of the * for the different configurations.
Benefit: Traditional. Problem: Uses more IPv4 addresses.
B) Get the CA to issue a single certificate valid for both server names
(e.g. by specifying both names in various certificate fields). Then
tell Apache to do normal virtual hosting but with a single SSL certificate.
Benefit: Uses only one IPv4 address per server.
Problem: Not all combinations of server names can be combined in
a single certificate if compatibility with many browser
implementations is needed. Others on this list can probabably say
which combinations are technically possible, and how.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
