[users@httpd] A corner case of Apache SSL SNI usage

Wed, 19 Feb 2014 00:41:24 -0800 

Hello All,

I want to configure Apache for this use case:

We have more than one virtual hosts with different hostnames. I use name
based virtual hosting configuration for these hosts.

And I want to give each host 2 ports for HTTPs services. One is for outside
service, the other is for internal service.

It's possible that we use different SSL keys and certs for internal and
outside HTTPs configurations. And clients do check validation of SSL
certificates. So I did a simple test of this configuration.

However, in my test case, I find Apache always gives client the certificate
from the first VirtualHost configuration.

My test environment is RHEL6.4, Apache2

My test configuration is like this:

NameVirtualHost and Listen statements are inserted in the ssl.conf file.
--------------------------------------------------------
NameVirtualHost 192.168.33.10:443
NameVirtualHost 192.168.33.10:8443
Listen 443
Listen 8443
--------------------------------------------------------

And I created a new file ssldemo.conf in conf.d
--------------------------------------------------------------------
<VirtualHost 192.168.33.10:8443>
    ServerName site1.test.com
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    DocumentRoot /var/www/html
    <Directory "/var/www/html">
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    ErrorLog logs/demo_error_log
    TransferLog logs/demo_access_log
    LogLevel debug
</VirtualHost>

<VirtualHost 192.168.33.10:443>
    ServerName site1.test.com
    SSLEngine on
    SSLCertificateFile /etc/httpd/ssl/sslcert.pem
    SSLCertificateKeyFile /etc/httpd/ssl/sslkey.pem
    DocumentRoot /var/www/html
    <Directory "/var/www/html">
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    ErrorLog logs/demo_error_log
    TransferLog logs/demo_access_log
    LogLevel debug
</VirtualHost>
--------------------------------------------------------------------------------

When I connect Apache server use the url https://site1.test.com, I get the
cert of /etc/pki/tls/certs/localhost.crt.
Seems Apache server doesn't support this kind of usage, does it?

Best Regards,

Jason

Reply via email to