httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: [users@httpd] ssl certifikate mismatch
Date Mon, 17 May 2010 05:01:12 GMT
> On Sun, May 16, 2010 at 3:14 PM, Eric Covener <covener@gmail.com> wrote:
>> User has a non-NVH on 10.137.1.104:9902 (CN=aaa.de)and insists SNI is
>> choosing the SSL configuration from a different VH that (CN=aaa.at)
>> comes earlier and b) has a matching servername.

I can't reproduce/confirm this behavior with 2.2.15. Did the user
doublecheck that the www.aaa.at.crt and www.aaa.de.crt files really have
the proper contents?

>> I think that 10.137.1.104 was sent, but i'm not sure if any SNI
>> hostname was sent. I called it like this: openssl s_client -connect
>> 10.137.1.104:9902

openssl s_client doesn't send any SNI extension by default (needs to be
specified with -servername, if desired).

The code in mod_ssl which possibly switches to a different certificate
(through OpenSSL's SSL_set_SSL_CTX) is only reached from
ssl_callback_ServerNameIndication(). And this callback is not executed
if there's no SNI extension in the ClientHello (at APLOG_DEBUG, mod_ssl
will log the outcome of ap_vhost_iterate_given_conn, but my prediction
is that the user won't see any such messages if he's using s_client w/o
the servername switch).

Kaspar

Mime
View raw message