RE: Chicken and Egg
What you see is predictable - your setup appears to work because apache fetches the certificate from the first VH (since it can't tell which VH to use). Once it gets a cert, it can then establish an SSL sssion and so can then see inside the HTTP request. It can then see the Host header and serve up the correct VH. However, this is not a solution for the real world because, as you observe, whenever you request the second VH, apache will use the cert from the first VH and so the browser will report a conflict. The way you have it set up leaves you vulnerable to man-in-the-middle exploits since you have lost the *authentication* aspect of SSL. This is equally as important as encryption. For example, imagine you sent your money to be bank in a armoured car, but the bank turned out just to be a front door... I guess you will say, but it's just a lab setup, I don't care about authentication - well that's fine, but why then do you need encryption? -Original Message- From: Roman Ivanov [mailto:ivanov_r;samsung.ru] Sent: Donnerstag, 24. Oktober 2002 15:06 To: [EMAIL PROTECTED] Subject: Chicken and Egg Hello All! I've just installed modssl. I want to clarify chicken and egg problem for me. I use modssl only for internal purposes so I use 1 self maded certificate on two cites. It is not problem that certificate does not match the site name. I have in httpd.conf: VirtualHost IP:443 ServerName A ...other directives... VirtualHost VirtualHost IP:443 ServerName B ...other directives... /VirtualHost In logs: [...] [warn] Init: SSL server IP/port conflict: A:443 (httpd.conf:...) vs. B:443 (httpd.conf:...) [...] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! But https://B works and https://A works too. Q My question is: I didn't meet chicken and egg problem here because I share one certificate between two servers? Am I right? Regards. Roman Ivanov CIS HQ SAMSUNG ELECTRONICS CO., LTD web-master TEL: +7-(095)-7972309 ICQ UIN #8160057 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Chicken and Egg
Title: RE: Chicken and Egg -Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED]] Sent: jeudi 24 octobre 2002 16:18 To: [EMAIL PROTECTED] Subject: RE: Chicken and Egg I guess you will say, but it's just a lab setup, I don't care about authentication - well that's fine, but why then do you need encryption? Perhaps he don't need encryption too :) I am seting up a web folder on my web server with mod_dav. But the firewall of my company is soo old (well no comment :))that he doesn't reconize some of the extension of then HTTP 1.1 protocol needed by mod_dav. He react to this by blocking theses request rendering my web folder unuseable. My only work around, is to put my folder in a ssl channel to go through the firewall letting him pass because he can't control what's going on :) I just need the ssl channel. I don't bother about the encryption (nothing would be enough as long as the firewall don't try to block me) and less about of the authentification :)
RE: Chicken and Egg
On Thu, 24 Oct 2002, Cabuzel Thierry wrote: -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: jeudi 24 octobre 2002 16:18 To: [EMAIL PROTECTED] Subject: RE: Chicken and Egg I guess you will say, but it's just a lab setup, I don't care about authentication - well that's fine, but why then do you need encryption? Perhaps he don't need encryption too :) I am seting up a web folder on my web server with mod_dav. But the firewall of my company is soo old (well no comment :))that he doesn't reconize some of the extension of then HTTP 1.1 protocol needed by mod_dav. He react to this by blocking theses request rendering my web folder unuseable. My only work around, is to put my folder in a ssl channel to go through the firewall letting him pass because he can't control what's going on :) I just need the ssl channel. I don't bother about the encryption (nothing would be enough as long as the firewall don't try to block me) and less about of the authentification :) If you are gaining ssl/https, you have encryption, you just do not have authentication. Thus you are tunneling the required needs ot the mod_dav traffic within the encrypted ssl space to achieve your means of circumventing the firewall/proxy wishes. You might well be better off here working with the firewall/proxy admin to define the needs and open the proxy to serve them properly. Otherwise, if you are circumventing policy, you might find your access in deeper troubles once the circumvention is discovered. Owens' advise to the previous, primary requestor in this thread to good, he suggests that that person actually do thing right and correct, to get full use of what he has compiled and is trying to design, rather then working with a semi-broken implimentation that does not fully grant the authentication the clients of the website are going to trust and want. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
