Re: [Modules] mod_gnutls and domains without its settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Il 05/08/2010 21:15, Nikos Mavrogiannopoulos ha scritto: > If I understand correctly you want to redirect https requests to http > if the virtual host doesn't exist. You cannot do that, or more > precisely you cannot do that before the user is presented with a > certificate. Once the server knows that a virtual host doesn't exist > the TLS connection has started, and thus will be completed using the > default first certificate. The best thing you could do is to reject > those clients completed (by having a default site that doesn't support > any ciphersuites), or by redirecting after the handshake has been > completed and the client has been presented with the default > certificate. > > regards, > Nikos > Thanks a lot for clearing this out for me. I will look into automating the creation of https virtual hosts paired up with http ones. - -- Davide Mirtillo EV Network, Via Emilio Salgari 14/e 31056 Roncade (TV), Italy Phone/Fax +390422798184 VAT IT02443090267 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxcIVAACgkQKhoNWaTioebOHACgzaf7XUNGZRjLoYepK6x0W9GU UkcAoKOVwK6Yxne2+nlV/uurmCVC+e0o =Nonc -END PGP SIGNATURE- ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
If I understand correctly you want to redirect https requests to http if the virtual host doesn't exist. You cannot do that, or more precisely you cannot do that before the user is presented with a certificate. Once the server knows that a virtual host doesn't exist the TLS connection has started, and thus will be completed using the default first certificate. The best thing you could do is to reject those clients completed (by having a default site that doesn't support any ciphersuites), or by redirecting after the handshake has been completed and the client has been presented with the default certificate. regards, Nikos On Thu, Aug 5, 2010 at 2:53 PM, Davide Mirtillo wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Il 04/08/2010 12:20, Nikos Mavrogiannopoulos ha scritto: >> On Wed, Aug 4, 2010 at 11:29 AM, Davide Mirtillo wrote: >> >>> Replacing _default_ with the network ip seems to work, but with both >>> your rewrite rule and mine i am now getting this error from the browser: >>> ssl_error_rx_record_too_long >> >> Most probably you didn't enable TLS for this host. You can verify that >> by connecting with normal HTTP url. > > That's correct, i did not add any virtual host for port 443, but that > was kind of the issue i am having, meaning that i'm trying to create a > default config to be used whenever the websites have no SSL virtual host > defined, ie redirect them to plain http. > > That configuration which was giving me the error above (the one that > uses IP:443 as VirtualHost) is also breaking the virtual hosts of the > sites i put the correct certificates in. > > - -- > Davide Mirtillo > EV Network, Via Emilio Salgari 14/e > 31056 Roncade (TV), Italy > Phone/Fax +390422798184 VAT IT02443090267 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkxatDkACgkQKhoNWaTioeayBgCgn+02V03jEb45i4uEDYn2Ao9Z > ya8AnA77r54EYfu/tbzQc+HOq84ntrbI > =+Anf > -END PGP SIGNATURE- > ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Il 04/08/2010 12:20, Nikos Mavrogiannopoulos ha scritto: > On Wed, Aug 4, 2010 at 11:29 AM, Davide Mirtillo wrote: > >> Replacing _default_ with the network ip seems to work, but with both >> your rewrite rule and mine i am now getting this error from the browser: >> ssl_error_rx_record_too_long > > Most probably you didn't enable TLS for this host. You can verify that > by connecting with normal HTTP url. That's correct, i did not add any virtual host for port 443, but that was kind of the issue i am having, meaning that i'm trying to create a default config to be used whenever the websites have no SSL virtual host defined, ie redirect them to plain http. That configuration which was giving me the error above (the one that uses IP:443 as VirtualHost) is also breaking the virtual hosts of the sites i put the correct certificates in. - -- Davide Mirtillo EV Network, Via Emilio Salgari 14/e 31056 Roncade (TV), Italy Phone/Fax +390422798184 VAT IT02443090267 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxatDkACgkQKhoNWaTioeayBgCgn+02V03jEb45i4uEDYn2Ao9Z ya8AnA77r54EYfu/tbzQc+HOq84ntrbI =+Anf -END PGP SIGNATURE- ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
On Wed, Aug 4, 2010 at 11:29 AM, Davide Mirtillo wrote: > Replacing _default_ with the network ip seems to work, but with both > your rewrite rule and mine i am now getting this error from the browser: > ssl_error_rx_record_too_long Most probably you didn't enable TLS for this host. You can verify that by connecting with normal HTTP url. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Il 03/08/2010 22:40, Jake ha scritto: > On 8/3/2010 5:51 AM, Davide Mirtillo wrote: >> >> RewriteEngine On >> RewriteCond %{HTTPS} ON >> RewriteRule (.*)http://%{HTTP_HOST}%{REQUEST_URI} >> >> > First, I've just managed to set up my SSL certs, but I really know very > little. > > I did find, however, that _default_ did not work for me, I had to use > the server's network IP. > > Also, what about something like this: > > RewriteEngine On > RewriteCond %{SERVER_PORT} 443 > RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R,L] Replacing _default_ with the network ip seems to work, but with both your rewrite rule and mine i am now getting this error from the browser: ssl_error_rx_record_too_long I'll try and investigate this further on both server and client side logs. Sorry if i replied you personally but seems like Thunderbird doesn't like this mailing list. - -- Davide Mirtillo EV Network, Via Emilio Salgari 14/e 31056 Roncade (TV), Italy Phone/Fax +390422798184 VAT IT02443090267 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxZJOcACgkQKhoNWaTioeaSLwCfWfIGzXXD0X3dBn81r1MXaTJ5 /ocAoInatrVwAkrDDNSXpAR66XGHkSv4 =JiOx -END PGP SIGNATURE- ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Il 03/08/2010 11:00, Simon Josefsson ha scritto: I'm having a strange issue, though. If i try to visit a domain that has no virtual host entry for the https connection, apache is displaying the site with the ssl certificate of the first domain i specified on the ssl virtualhost config file. Is there any way i can stop this behaviour? I thought about adding a permanent redirect on every domain that does not have a ssl vhost, but i'd rather see what other options i have before doing that. >>> >>> I don't know how to solve this, but how does mod_ssl handle this? >>> Assuming mod_ssl supports SNI at all, that is, I know it didn't for a >>> long time but maybe that has changed. >> >> I think SNI has been introduced for mod_ssl into newer packages, (i.e. >> in the testing/unstable repos) but running a mixed debian system could >> be troublesome in a production enviroment. I haven't tried mod_ssl >> because of that. I don't know if this issue is caused by my mod_gnutls >> config or if it's an error on my apache config. Am i supposed to >> declare a corresponding https virtual host for every plain http one? > > I didn't say you should use mod_ssl instead. :-) Just curious how it > solved the same problem. FWIW, I've seen your problem too, and never > resolved it. It may be possible to do with configuration, but I'm not > certain what the best recommended approach should be. It would be nice > to be able to declare which virtual server should be the "catch-all" SSL > server. > > However, can't you just make sure the first SSL virtualhost server is a > "catch-all" server? Thanks for the tip. I decided to try with a _default_:443 virtual host [1], inserting the following entry as default: RewriteEngine On RewriteCond %{HTTPS} ON RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} But it doesn't seem to do the job, i still get the wrong certificate (i don't even get why the RewriteRule isn't working). I guess i'll just create a script to create the right https vhosts paired up with the http ones. If anyone has better options, i'm all ears. [1] http://httpd.apache.org/docs/2.2/vhosts/examples.html#default - -- Davide Mirtillo EV Network Via Emilio Salgari 14/e 31056 Roncade (TV), Italy Phone/Fax +390422798184 P.IVA 02443090267 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxYELwACgkQKhoNWaTioeZSvgCdGB1KZMJOC5kggFPwM1S1p5GX CbAAnjTAqaCSI/s3smOzDb+v3Vyj1S/h =MBT0 -END PGP SIGNATURE- ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
Davide Mirtillo writes: > On Tue, Aug 3, 2010 at 10:43 AM, Simon Josefsson wrote: >> Davide Mirtillo writes: >>> I'm having a strange issue, though. If i try to visit a domain that has >>> no virtual host entry for the https connection, apache is displaying the >>> site with the ssl certificate of the first domain i specified on the ssl >>> virtualhost config file. >>> >>> Is there any way i can stop this behaviour? I thought about adding a >>> permanent redirect on every domain that does not have a ssl vhost, but >>> i'd rather see what other options i have before doing that. >> >> I don't know how to solve this, but how does mod_ssl handle this? >> Assuming mod_ssl supports SNI at all, that is, I know it didn't for a >> long time but maybe that has changed. >> > > I think SNI has been introduced for mod_ssl into newer packages, (i.e. > in the testing/unstable repos) but running a mixed debian system could > be troublesome in a production enviroment. I haven't tried mod_ssl > because of that. I don't know if this issue is caused by my mod_gnutls > config or if it's an error on my apache config. Am i supposed to > declare a corresponding https virtual host for every plain http one? I didn't say you should use mod_ssl instead. :-) Just curious how it solved the same problem. FWIW, I've seen your problem too, and never resolved it. It may be possible to do with configuration, but I'm not certain what the best recommended approach should be. It would be nice to be able to declare which virtual server should be the "catch-all" SSL server. However, can't you just make sure the first SSL virtualhost server is a "catch-all" server? /Simon ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
On Tue, Aug 3, 2010 at 10:43 AM, Simon Josefsson wrote: > Davide Mirtillo writes: >> I'm having a strange issue, though. If i try to visit a domain that has >> no virtual host entry for the https connection, apache is displaying the >> site with the ssl certificate of the first domain i specified on the ssl >> virtualhost config file. >> >> Is there any way i can stop this behaviour? I thought about adding a >> permanent redirect on every domain that does not have a ssl vhost, but >> i'd rather see what other options i have before doing that. > > I don't know how to solve this, but how does mod_ssl handle this? > Assuming mod_ssl supports SNI at all, that is, I know it didn't for a > long time but maybe that has changed. > I think SNI has been introduced for mod_ssl into newer packages, (i.e. in the testing/unstable repos) but running a mixed debian system could be troublesome in a production enviroment. I haven't tried mod_ssl because of that. I don't know if this issue is caused by my mod_gnutls config or if it's an error on my apache config. Am i supposed to declare a corresponding https virtual host for every plain http one? -- Davide Mirtillo ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls and domains without its settings
Davide Mirtillo writes: > Hello, i'm using mod_gnutls on a debian lenny install, the packages of > apache and mod_gnutls itself are the ones included in the stable > repository. I have a quite a bit of domains set up on the same machine, > all of them are simple virtual hosts, since the software i'm using to > manage the hosting enviroment has created them that way (ispcp omega). > I have a couple of domains, among the ones i'm hosting, that require an > https connection and i managed to set them up correctly creating > additional virtual hosts that utilize the mod_gnutls module. > This is the howto i followed to get ssl to work on those domains: > http://isp-control.net/documentation/howto:multiple_ssl_certificates_on_a_single_ip_port_using_mod_gnutls > > I'm having a strange issue, though. If i try to visit a domain that has > no virtual host entry for the https connection, apache is displaying the > site with the ssl certificate of the first domain i specified on the ssl > virtualhost config file. > > Is there any way i can stop this behaviour? I thought about adding a > permanent redirect on every domain that does not have a ssl vhost, but > i'd rather see what other options i have before doing that. I don't know how to solve this, but how does mod_ssl handle this? Assuming mod_ssl supports SNI at all, that is, I know it didn't for a long time but maybe that has changed. /Simon ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules