SSL and Virtual hosts
Hello, I have this server that I'm going to run several virtualhosts. The servers are for this example named test1, test2 and test3. The server listens on two IP's: .10 and .11. Server test1 and test2 should listen on IP .10, and test3 on IP .11. The server certificate for test1 and test3 presents the correct certificate as it should. However, the server test2 certificate does not. It presents the test1 certificate (probably because of the same use of IP-address) instead of the correct test2 - which in turn makes the clients pop up warning about the requestion because the certificate is not issued to the correct name (- The server's name test2.mydomain.org does not match the certificate's name test1.mydomain.org. Somebody may be trying to eavesdrop on you.) Is there a way to make it present the correct certificate for the correct named server (on the same IP)? I'm running Debian testing latest versions on a i686: Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux) debian versions: apache-ssl 1.3.29.0.1-5 Regards, Svein Seldal Part of my httpd.conf: -- SSLDisable SSLVerifyClient 2 my other SSL settings Listen 192.168.0.10:443 Listen 192.168.0.11:443 NameVirtualHost 192.168.0.10:443 NameVirtualHost 192.168.0.11:443 VirtualHost 192.168.0.10:443 ServerName test1.mydomain.org SSLEnable SSLRequireSSL SSLCertificateFile /path/test1.crt SSLCertificateKeyFile /path/test1.key SSLCACertificateFile /path/test1_okaccess.crt other HTML definitions /VirtualHost VirtualHost 192.168.0.10:443 ServerName test2.mydomain.org SSLEnable SSLRequireSSL SSLCertificateFile /path/test2.crt SSLCertificateKeyFile /path/test2.key SSLCACertificateFile /path/test2_okaccess.crt other HTML definitions /VirtualHost VirtualHost 192.168.0.11:443 ServerName test3.mydomain.org SSLEnable SSLRequireSSL SSLCertificateFile /path/test3.crt SSLCertificateKeyFile /path/test3.key SSLCACertificateFile /path/test3_okaccess.crt other HTML definitions /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL and Virtual hosts
On Fri, Feb 20, 2004 at 11:18:10AM +0100, Svein E. Seldal wrote: I'm running Debian testing latest versions on a i686: Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux) debian versions: apache-ssl 1.3.29.0.1-5 You're asking on the wrong list then - this is the mod_ssl list, while you're running apache-ssl which lives at http://www.apache-ssl.org/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL and Virtual hosts
-Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED] Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux) debian versions: apache-ssl 1.3.29.0.1-5 You're asking on the wrong list then - this is the mod_ssl list, while you're running apache-ssl which lives at http://www.apache-ssl.org/ Of course you're right, but since it's a Friday and since this is the number one Frequently Made Mistake on SSL and since it applies equally to apache-ssl, mod_ssl or any other implementation of SSL: You are trying to do name-based virtual-hosting with SSL. You can't. It's not an apache problem, it's a fundamental limitation of the HTTPS protocol. See http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 for the mod_ssl explanation. Probably apache-ssl will have a similar FAQ. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]