httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 54385] New: SSL configuration independent from virtual hosts, automatic certificate selection.
Date Tue, 08 Jan 2013 09:57:23 GMT 
https://issues.apache.org/bugzilla/show_bug.cgi?id=54385

            Bug ID: 54385
           Summary: SSL configuration independent from virtual hosts,
                    automatic certificate selection.
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: mail@joachim-breitner.de
    Classification: Unclassified

With one certificate covering all hosted domains (using wildcard domains and/or
subject alternative name entries), it is possible to
 * have all SSL configuration in one place.
 * define one virtual host once and serve both HTTP and HTTPs

This works by having only one virtual host with ssl configuration. This virtual
host is not actually used (and the ServerName may be anything): Before the SSL
handshake, apache looks only at that virtual host, sends the certificate, then
recieves the request with the Host: header and re-selects the right virtual
host.

It is not possible to obtain the same level of convenience with multiple
certificates and SNI: Now I do need to configure SSL for each virtual host
idependently. Worse, I need to duplicate every virtual host configuration,
because the same configuration can no longer server both SSL and non-SSL
(unless the patch in 47256 is included).

Worse: If I have  larger number of domains that I want to handle in a single
virtual host (e.g. using mod_rewirte magic), I still need to duplicate the
configuration if I need to show separate certificates for different domains.

It would be nice if I could, in my original setup with the single „dummy“ SSL
virtual host, multiple certificates (or even a whole directory), and have
apache select the right certificiate by matching the SNI data against the CN
and SAN entries of the ceritificate, showing the client the first one that
matches.

After the SSL handshake, virtual host selection would work as before, i.e.
based on the ServerName attribute.

This would entangle virtual host configuration and SSL configuration, which I
think is a good thing in many use cases.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Mime
View raw message