httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] ssl certifikate mismatch
Date Sun, 16 May 2010 19:19:49 GMT
top-posting a better summary of the thread:

> Listen 10.137.1.104:9901
> <VirtualHost 10.137.1.104:9901>
> SSLEngine on
> SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt
> SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key
> Include conf/www.aaa.misc
> </VirtualHost>
>
> Listen 10.137.1.104:9902
> <VirtualHost 10.137.1.104:9902>
> SSLEngine on
> SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt
> SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key
> Include conf/www.aaa.misc
> </VirtualHost>
>
> Listen 10.137.1.104:9903
> NameVirtualHost 10.137.1.104:9903
> <VirtualHost 10.137.1.104:9903>
> Include conf/www.aaa.misc
> </VirtualHost>

>  openssl s_client -connect 10.137.1.104:9902

> The certificate www.aaa.at was selected.



On Sun, May 16, 2010 at 3:14 PM, Eric Covener <covener@gmail.com> wrote:
> User has a non-NVH on 10.137.1.104:9902 (CN=aaa.de)and insists SNI is
> choosing the SSL configuration from a different VH that (CN=aaa.at)
> comes earlier and b) has a matching servername.
>
> Deck-checking the impl, it sure looks like it's supposed to start w/
> the output of normal ip-based vhosting and only traverse the NVH'es
> hung off that matched vh.
>
> Anyone more familiar with this that can comment to the design or implementation?
>
>
>
> ---------- Forwarded message ----------
> From: Reinhard Vicinus <r.vicinus@metaways.de>
> Date: Sun, May 16, 2010 at 2:46 PM
> Subject: Re: [users@httpd] ssl certifikate mismatch
> To: users@httpd.apache.org
>
>
>
>> What's the full apachectl -S look like on that config?
>>
>
> VirtualHost configuration:
> 10.137.1.104:9903      is a NameVirtualHost
>         default server www.aaa.de (/etc/apache2/sites-enabled/test:19)
>         port 9903 namevhost www.aaa.de (/etc/apache2/sites-enabled/test:19)
> 10.137.1.104:9901      www.aaa.de (/etc/apache2/sites-enabled/test:2)
> 10.137.1.104:9902      www.aaa.de (/etc/apache2/sites-enabled/test:10)
> Syntax OK
>
>> What was the local host:port the connection was on?
>>
>
> 10.137.1.104:9902
>>
>> What SNI hostname was sent?
>>
>
> I think that 10.137.1.104 was sent, but i'm not sure if any SNI
> hostname was sent. I called it like this: openssl s_client -connect
> 10.137.1.104:9902
>>
>> What certificate was selected?  Which certificate do you expect to be
>> selected, and why?
>>
>
> The certificate www.aaa.at was selected. I would expect that
> www.aaa.de would be selected because the configuration uses ip based
> virtual hosting and in the apache documentation it's clearly stated
> that only the exact IP address and port pair is used for selecting
> virtual hosts by ip based virtual hosting.
>
> Also this configuration worked with older apache versions.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
> --
> Eric Covener
> covener@gmail.com
>



-- 
Eric Covener
covener@gmail.com

Mime
View raw message