httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Redundant SSL virtual host warnings?
Date Sun, 08 Apr 2007 18:57:16 GMT


On 04/08/2007 08:24 PM, Henrik Nordstrom wrote:
> sön 2007-04-08 klockan 18:48 +0100 skrev Jay L. T. Cornwall:
> 
> 
>>So the part I'm leading up to is: how about a way to turn off these
>>warnings? Or perhaps a simple certificate analysis to see if the
>>wildcard matches all the virtual hosts for which it serves?
> 

This is not a good idea. Even though the client does not complain about
a wrong certificate in the case of a wildcard certificate there are
still pitfalls on the server side. All virtual host specific SSL
configuration parameters are taken from the first virtual host and not
from the target virtual host. See

http://issues.apache.org/bugzilla/show_bug.cgi?id=41537#c3


> 
> Related to this, in current versions of TLS the client MAY advertise
> which host it is desiring to get connected to which would also require
> this if implemented in Apache mod_ssl. (server_name hello extension
> defined in RFC4366 section 3.1)

I guess this will be done as soon as there is an official release of openssl
(I guess it will be 0.9.9) that supports this. There are already patches
available. See

http://issues.apache.org/bugzilla/show_bug.cgi?id=34607

Regards

Rüdiger

Mime
View raw message