Re: Multiple SSL Virtualhosts on Apache 1.3
I just choose one good generic domain, ie: secure.mydomain.com, get that
signed, and put anything that's passing sensitive info(sign-ups, forms,
logins,etc) to that location. I've found it much better to send users
to another domain that has a signed cert. then to keep them in the
domain with an unsigned cert. It saves money too.
On Tue, 2002-11-05 at 04:00, DEFFONTAINES Vincent wrote:
Greetings,
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers, due to certificate not matching
most of the sites names. But it does work.
For clarity below is an extract of httpd.conf
I am wondering whether anyone else uses that in a production environnment,
and whether this working is due to a side-effect on the way apache works. I
didn't find it on any doc nor any howto.
The non-matching {site name/certificate} is indeed a drawback, but maybe can
be turned around? If I have an official certificate for ssl.foo.com, and I
use it for foo{n}.ssl.foo.com, maybe it could be secure enough for some
applications? (just like I noticed the HTTPS certiifcate for
mail.yahoo.com is actually signed for login.yahoo.com)
Since I read several at several places on the Web that it was not possible
to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add
this to the discussion.
Your comments will be appreciated.
Vincent
*
httpd.conf sample :
VirtualHost 1.2.3.4:443
ServerName ssl1.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl1_request_log common
ErrorLog /var/log/apache/ssl1-error.log
DocumentRoot /var/www/ssl1/
/Virtualhost
VirtualHost 1.2.3.4:443
ServerName ssl2.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl2_request_log common
ErrorLog /var/log/apache/ssl2-error.log
DocumentRoot /var/www/ssl2/
/Virtualhost
*
.''`.| Vincent Deffontaines
: :' : Debian GNU/Linux| Network Administrator
`. `~'http://www.debian.org | Council of Europe
`-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple SSL Virtualhosts on Apache 1.3
I just choose one good generic domain, ie: secure.mydomain.com, get that
signed, and put anything that's passing sensitive info(sign-ups, forms,
logins,etc) to that location. I've found it much better to send users
to another domain that has a signed cert. then to keep them in the
domain with an unsigned cert. It saves money too.
On Tue, 2002-11-05 at 04:00, DEFFONTAINES Vincent wrote:
Greetings,
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers, due to certificate not matching
most of the sites names. But it does work.
For clarity below is an extract of httpd.conf
I am wondering whether anyone else uses that in a production environnment,
and whether this working is due to a side-effect on the way apache works. I
didn't find it on any doc nor any howto.
The non-matching {site name/certificate} is indeed a drawback, but maybe can
be turned around? If I have an official certificate for ssl.foo.com, and I
use it for foo{n}.ssl.foo.com, maybe it could be secure enough for some
applications? (just like I noticed the HTTPS certiifcate for
mail.yahoo.com is actually signed for login.yahoo.com)
Since I read several at several places on the Web that it was not possible
to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add
this to the discussion.
Your comments will be appreciated.
Vincent
*
httpd.conf sample :
VirtualHost 1.2.3.4:443
ServerName ssl1.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl1_request_log common
ErrorLog /var/log/apache/ssl1-error.log
DocumentRoot /var/www/ssl1/
/Virtualhost
VirtualHost 1.2.3.4:443
ServerName ssl2.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl2_request_log common
ErrorLog /var/log/apache/ssl2-error.log
DocumentRoot /var/www/ssl2/
/Virtualhost
*
.''`.| Vincent Deffontaines
: :' : Debian GNU/Linux| Network Administrator
`. `~'http://www.debian.org | Council of Europe
`-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Multiple SSL Virtualhosts on Apache 1.3
Greetings,
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers, due to certificate not matching
most of the sites names. But it does work.
For clarity below is an extract of httpd.conf
I am wondering whether anyone else uses that in a production environnment,
and whether this working is due to a side-effect on the way apache works. I
didn't find it on any doc nor any howto.
The non-matching {site name/certificate} is indeed a drawback, but maybe can
be turned around? If I have an official certificate for ssl.foo.com, and I
use it for foo{n}.ssl.foo.com, maybe it could be secure enough for some
applications? (just like I noticed the HTTPS certiifcate for
mail.yahoo.com is actually signed for login.yahoo.com)
Since I read several at several places on the Web that it was not possible
to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add
this to the discussion.
Your comments will be appreciated.
Vincent
*
httpd.conf sample :
VirtualHost 1.2.3.4:443
ServerName ssl1.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl1_request_log common
ErrorLog /var/log/apache/ssl1-error.log
DocumentRoot /var/www/ssl1/
/Virtualhost
VirtualHost 1.2.3.4:443
ServerName ssl2.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl2_request_log common
ErrorLog /var/log/apache/ssl2-error.log
DocumentRoot /var/www/ssl2/
/Virtualhost
*
.''`.| Vincent Deffontaines
: :' : Debian GNU/Linux| Network Administrator
`. `~'http://www.debian.org | Council of Europe
`-
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple SSL Virtualhosts on Apache 1.3
On Tue, 5 Nov 2002, DEFFONTAINES Vincent wrote: Since I read several at several places on the Web that it was not possible to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add this to the discussion. Your comments will be appreciated. IMHO if you want secure connection it's Ok, but if you want your clients to trust content it's not. While your virtual domains are: a.domain.com and b.domain.com it's acceptable, but what about domains: a.domain.com b.otherdomain.com? Same cert for them looks suspicious. JA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple SSL Virtualhosts on Apache 1.3
On Tuesday, 2002-11-05 at 11:00:46 +0100, DEFFONTAINES Vincent wrote: I managed to create several Virtualhosts on a apache-ssl (1.3) server (same IP, same port, several names). The trick is to use the same Certificate for every Virtualhost, which will of course generate a warning on browsers, due to certificate not matching most of the sites names. But it does work. You can't use name-based virtual hosts with different certificates because SSL processing is done before the HTTP headers are transferred, and name-based virtual hosts are selected based on the header line Host:. When you use address-based virtual hosts, the certificates are associated with individual addresses, and are available at the right time. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: I have | | thith great unthinkable conthept ... | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple SSL Virtualhosts on Apache 1.3
The trick is to use the same Certificate for every Virtualhost, which will of course generate a warning on browsers, due to certificate not matching most of the sites names. But it does work. I disagree ;). It works in your eyes but the user will only see the warning pop-up. That will generate questions. Not good. Since I read several at several places on the Web that it was not possible to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add this to the discussion. Your comments will be appreciated. Did you check this tidbit? http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 Jan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Multiple SSL Virtualhosts on Apache 1.3
On Tue, Nov 05, 2002 at 11:00:46AM +0100, DEFFONTAINES Vincent wrote:
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers,
The non-matching {site name/certificate} is indeed a drawback, but
maybe can be turned around?
You can use wildcard certificates, with a CN of (e.g.)
*.coe.int. I see two major drawbacks:
- I'm not sure most CA will sign wildcard certificates. It's better
for them if you buy a dozen certificates than ONE wildcard
certificate.
Not an issue if you run your own CA.
- When I tried this, the infamous Microsoft Internet Explorer totally
barfed on wildcard certificate.
If web administrators are separate from (whatever else) administrators
at your site, then the web administrators will be able to masquerade
(at the SSL level) for any machine in the domain: Print servers, ftp
server, ...
--
Lionel
msg07623/pgp0.pgp
Description: PGP signature
Multiple SSL Virtualhosts on Apache 1.3
Greetings,
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers, due to certificate not matching
most of the sites names. But it does work.
For clarity below is an extract of httpd.conf
I am wondering whether anyone else uses that in a production environnment,
and whether this working is due to a side-effect on the way apache works. I
didn't find it on any doc nor any howto.
The non-matching {site name/certificate} is indeed a drawback, but maybe can
be turned around? If I have an official certificate for ssl.foo.com, and I
use it for foo{n}.ssl.foo.com, maybe it could be secure enough for some
applications? (just like I noticed the HTTPS certiifcate for
mail.yahoo.com is actually signed for login.yahoo.com)
Since I read several at several places on the Web that it was not possible
to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add
this to the discussion.
Your comments will be appreciated.
Vincent
*
httpd.conf sample :
VirtualHost 1.2.3.4:443
ServerName ssl1.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl1_request_log common
ErrorLog /var/log/apache/ssl1-error.log
DocumentRoot /var/www/ssl1/
/Virtualhost
VirtualHost 1.2.3.4:443
ServerName ssl2.bar.com
SSLEngine On
SSLCertificateFile /etc/apache/certificate/server.crt
SSLCertificateKeyFile /etc/apache/certificate/server.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog /var/log/apache/ssl2_request_log common
ErrorLog /var/log/apache/ssl2-error.log
DocumentRoot /var/www/ssl2/
/Virtualhost
*
.''`.| Vincent Deffontaines
: :' : Debian GNU/Linux| Network Administrator
`. `~'http://www.debian.org | Council of Europe
`-
Re: Multiple SSL Virtualhosts on Apache 1.3
On Tue, 5 Nov 2002, DEFFONTAINES Vincent wrote: Since I read several at several places on the Web that it was not possible to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add this to the discussion. Your comments will be appreciated. IMHO if you want secure connection it's Ok, but if you want your clients to trust content it's not. While your virtual domains are: a.domain.com and b.domain.com it's acceptable, but what about domains: a.domain.com b.otherdomain.com? Same cert for them looks suspicious. JA
Re: Multiple SSL Virtualhosts on Apache 1.3
On Tuesday, 2002-11-05 at 11:00:46 +0100, DEFFONTAINES Vincent wrote: I managed to create several Virtualhosts on a apache-ssl (1.3) server (same IP, same port, several names). The trick is to use the same Certificate for every Virtualhost, which will of course generate a warning on browsers, due to certificate not matching most of the sites names. But it does work. You can't use name-based virtual hosts with different certificates because SSL processing is done before the HTTP headers are transferred, and name-based virtual hosts are selected based on the header line Host:. When you use address-based virtual hosts, the certificates are associated with individual addresses, and are available at the right time. Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: I have | | thith great unthinkable conthept ... |
Re: Multiple SSL Virtualhosts on Apache 1.3
The trick is to use the same Certificate for every Virtualhost, which will of course generate a warning on browsers, due to certificate not matching most of the sites names. But it does work. I disagree ;). It works in your eyes but the user will only see the warning pop-up. That will generate questions. Not good. Since I read several at several places on the Web that it was not possible to build several HTTPS VirtualHosts on the same IP/Port, I'd like to add this to the discussion. Your comments will be appreciated. Did you check this tidbit? http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 Jan
Re: Multiple SSL Virtualhosts on Apache 1.3
On Tue, Nov 05, 2002 at 11:00:46AM +0100, DEFFONTAINES Vincent wrote:
I managed to create several Virtualhosts on a apache-ssl (1.3) server (same
IP, same port, several names).
The trick is to use the same Certificate for every Virtualhost, which will
of course generate a warning on browsers,
The non-matching {site name/certificate} is indeed a drawback, but
maybe can be turned around?
You can use wildcard certificates, with a CN of (e.g.)
*.coe.int. I see two major drawbacks:
- I'm not sure most CA will sign wildcard certificates. It's better
for them if you buy a dozen certificates than ONE wildcard
certificate.
Not an issue if you run your own CA.
- When I tried this, the infamous Microsoft Internet Explorer totally
barfed on wildcard certificate.
If web administrators are separate from (whatever else) administrators
at your site, then the web administrators will be able to masquerade
(at the SSL level) for any machine in the domain: Print servers, ftp
server, ...
--
Lionel
pgpNApchUXUCV.pgp
Description: PGP signature
