httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Fwd: [users@httpd] ssl certifikate mismatch
Date Sun, 16 May 2010 19:14:46 GMT
User has a non-NVH on 10.137.1.104:9902 (CN=aaa.de)and insists SNI is
choosing the SSL configuration from a different VH that (CN=aaa.at)
comes earlier and b) has a matching servername.

Deck-checking the impl, it sure looks like it's supposed to start w/
the output of normal ip-based vhosting and only traverse the NVH'es
hung off that matched vh.

Anyone more familiar with this that can comment to the design or implementation?



---------- Forwarded message ----------
From: Reinhard Vicinus <r.vicinus@metaways.de>
Date: Sun, May 16, 2010 at 2:46 PM
Subject: Re: [users@httpd] ssl certifikate mismatch
To: users@httpd.apache.org



> What's the full apachectl -S look like on that config?
>

VirtualHost configuration:
10.137.1.104:9903      is a NameVirtualHost
        default server www.aaa.de (/etc/apache2/sites-enabled/test:19)
        port 9903 namevhost www.aaa.de (/etc/apache2/sites-enabled/test:19)
10.137.1.104:9901      www.aaa.de (/etc/apache2/sites-enabled/test:2)
10.137.1.104:9902      www.aaa.de (/etc/apache2/sites-enabled/test:10)
Syntax OK

> What was the local host:port the connection was on?
>

10.137.1.104:9902
>
> What SNI hostname was sent?
>

I think that 10.137.1.104 was sent, but i'm not sure if any SNI
hostname was sent. I called it like this: openssl s_client -connect
10.137.1.104:9902
>
> What certificate was selected?  Which certificate do you expect to be
> selected, and why?
>

The certificate www.aaa.at was selected. I would expect that
www.aaa.de would be selected because the configuration uses ip based
virtual hosting and in the apache documentation it's clearly stated
that only the exact IP address and port pair is used for selecting
virtual hosts by ip based virtual hosting.

Also this configuration worked with older apache versions.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
 "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




-- 
Eric Covener
covener@gmail.com

Mime
View raw message