RE: ModSSL and VirtualHosts
It's an ingenious attempt and it may seem to work but there is a lot going on that you might not be aware of. Consider what happens when someone types https://domain2/; into their browser: - the browser gets the IP address for domain2 (which is the same IP address as domain1) and then sends a packet to port 433 at that address requesting an SSL session. - the server receives an SSL request on port 443. That's all it gets. So what VH is it to use? By default, it just looks in the first one - so it sends domain1.cert. - the browser gets the cert and opens it. That's funny, thinks the browser, I asked for domain2, but this cert is for domain1... I'd better warn my master. So it pops up an alert window warning you that the certificate does not match the site name. You have to click OK. - the browser is reassured so continues with the SSL channel setup. It then requests the webpage from the server. - the server gets the encrypted request and, since it now has a working SSL channel, decrypts it. Now it can see inside and get the host header. So at last it can see that he request is for domain2. So it goes into the domain2 VH where it hits the rewrite rule! So it sends a redirect to send the browser to domain2:444. - The browser gets the redirect and off it goes to domain2:444. This time there is no ambiguity since there is only one VH. So it gets the correct cert, sends it to the browser and this time there is no warning because now the site and cert match. The point of the story is that you are still using the wrong cert to set up the initial SSL channel. Unless you define the port in the original request, there is no way to get the server to identify the correct VH - it will always use the first one. To put it another way, you don't really need to bother with the VH on port 444 - if you don't mind that the session is established with the domain1 cert, you can just leave it and after the SSL channel is established name-based VH will work. Alternatively, you can put the rewrite rule into the domain1 VH (though you need to change it so it trips on the servername) and dispense with the domain2:443 VH. The trouble with using the wrong cert is that it is not a general solution since it violates the authentication aspect of SSL. SSL is not only about encryption, it is also about ensuring that the site you are talking to is authentic. Encryption is like sending your money to the bank in an armoured car. Authentication is making sure the armoured car really does go to the bank. Rgds, Owen Boyle -Original Message- From: fred [mailto:fred;skyturn.net] Sent: Donnerstag, 7. November 2002 18:54 To: [EMAIL PROTECTED] Subject: Re: ModSSL and VirtualHosts Hello, I was the first one (of today) I anderstand your ###!!!???. Its ###:::/??? to repeat ten times the same thing. I hope that my answer will help people to configure multi ssl with one IP. Personaly I can not have an other IP so I use the same ip whith different port and I use mod Rewrite to redirect to the new port and it work very well. ex: IfDefine SSL Listen *:80 Listen *:443 Listen *:444 /IfDefine NameVirtualHost MY_IP:443 VirtualHost MY_IP:443 DocumentRoot /home/web/SSL/dmaine1/htdocs ServerName domaine1 ServerAdmin root@localhost SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/domaine1.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domaine1.key Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /usr/local/apache/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /usr/local/apache/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost VirtualHost MY_IP:443 DocumentRoot /home/web/SSL/domaine2/htdocs ServerName domaine2 ServerAdmin root@localhost RewriteEngine On RewriteRule ^/(.*)$ https://domaine2:444/$1 [R] SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/domaine2.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domaine2.key Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /usr/local/apache/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /usr/local/apache/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost VirtualHost MY_IP:444 DocumentRoot /home/web/SSL/domaine2/htdocs ServerName domaine2 ServerAdmin root@localhost SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/domaine2.crt
RE: ModSSL and VirtualHosts
PLease type SSL name-based virtual hosts into Google and read some of the replies - I can't bear to explain this one again... -Original Message- From: Alex [mailto:alex;damngeek.com] Sent: Donnerstag, 7. November 2002 17:55 To: [EMAIL PROTECTED] Subject: ModSSL and VirtualHosts I think I'm missing a few key points here, so I'm not able to find the answers by myself. Hate to sound like a newbie, but I'm getting a little frustrated. Lets say I have this: VirtualHost * DocumentRoot /usr/local/www/domain1 ServerName domain1.dom /VirtualHost VirtualHost * DocumentRoot /usr/local/www/wwwdomain1 ServerName www.domain1.dom /VirtualHost This works just great, both sites would show up and show the correct directory. I can use the * or the ip address for the VirtualHost, both with the same results. All I can get with the https://... is the default directory saying apache is installed. Now I can change the default directory in the VirtualHost for _default_:443 and it will point to which ever directory I want, with ssl. How do I get https://domain1.dom the same as http://domain1.dom, and https://www.domain1.dom the same as http://www.domain1.dom? Or is it by design only to work with one directory? Oh, and to possibly add to any confusion, this is a freebsd 4.7 box with a private ip (firewalled) with apache+mod_ssl-1.3.27+2.8.12. Any help would be appreciated. Thanks for your time. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ModSSL and VirtualHosts
Sorry. That last post was harsh - it's been a long day. But everyone (including me) who moves into SSL immediately wonders why name-based VHs don't work. You are the second person *today* to ask this... The problem is that the packet is encrypted so apache can't see the Host header so doesn't know what VH to use. But it needs the VH in order to decide on the cert - it's a classic Catch-22. There is no workaround (we had a guy today trying rewrite rules - marks for originality, but no cigar). You have to use separate IPs or ports... Rgds, Owen Boyle -Original Message- From: Alex [mailto:alex;damngeek.com] Sent: Donnerstag, 7. November 2002 17:55 To: [EMAIL PROTECTED] Subject: ModSSL and VirtualHosts I think I'm missing a few key points here, so I'm not able to find the answers by myself. Hate to sound like a newbie, but I'm getting a little frustrated. Lets say I have this: VirtualHost * DocumentRoot /usr/local/www/domain1 ServerName domain1.dom /VirtualHost VirtualHost * DocumentRoot /usr/local/www/wwwdomain1 ServerName www.domain1.dom /VirtualHost This works just great, both sites would show up and show the correct directory. I can use the * or the ip address for the VirtualHost, both with the same results. All I can get with the https://... is the default directory saying apache is installed. Now I can change the default directory in the VirtualHost for _default_:443 and it will point to which ever directory I want, with ssl. How do I get https://domain1.dom the same as http://domain1.dom, and https://www.domain1.dom the same as http://www.domain1.dom? Or is it by design only to work with one directory? Oh, and to possibly add to any confusion, this is a freebsd 4.7 box with a private ip (firewalled) with apache+mod_ssl-1.3.27+2.8.12. Any help would be appreciated. Thanks for your time. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]