httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 56353] SNI not working correctly when certificate is defined in global scope
Date Mon, 07 Apr 2014 04:46:29 GMT

--- Comment #2 from ---
(In reply to Kaspar Brand from comment #1)
> Created attachment 31485 [details]
> Reverse apr_array_append order with cfgMergeArray
> Can you try the attached patch with 2.4.9 and let us know if it addresses
> your issue?

Yeah, patch fixes it, everything seems back to normal. Will re-test with my
real server setup, but local tests seem fine.

> > It gets even weirder when one adds certificate chains. They still get
> > delivered by vhosts. So if I e.g. add a certificate chain to test2.local in
> > this example, I'll get test1.crt with the chain defined in test2.local.
> What version of OpenSSL are you using, and how exactly do you "add a
> certificate chain" - with SSLCertificateChainFile, or by including it in the
> file pointed to by SSLCertificateFile?

With SSLCertificateChainFile and openssl 1.0.1f.
(I'm aware that 2.4.9 warns it is considered deprecated. I'm not happy with
that, but this is outside the scope of this bug report, I may comment on that
on the dev ml)

> (Note that for an SNI setup, it doesn't make much sense to have global-level
> SSLCertificate[Key]File settings - the default cert should simply go into
> the first VirtualHost block.)

No, that doesn't work. If I set no global cert and have vhosts without their
own cert apache simply won't start. (log says "SSL Library Error:
error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned")

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message