Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 87730 invoked from network); 16 May 2010 19:20:18 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 16 May 2010 19:20:18 -0000 Received: (qmail 16675 invoked by uid 500); 16 May 2010 19:20:18 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 16611 invoked by uid 500); 16 May 2010 19:20:18 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 16603 invoked by uid 99); 16 May 2010 19:20:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 May 2010 19:20:18 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of covener@gmail.com designates 74.125.83.173 as permitted sender) Received: from [74.125.83.173] (HELO mail-pv0-f173.google.com) (74.125.83.173) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 May 2010 19:20:11 +0000 Received: by mail-pv0-f173.google.com with SMTP id 2so149202pvg.18 for ; Sun, 16 May 2010 12:19:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=CgajR/myh5wHFHeYjiR+dlnkXNbfLBRJu+mAATo/gC0=; b=JkR5kHHg2FbGFpHAAokLACgrPLgC6hXA/fn/iLEXaM4WooC8I9ZwN9fn735FZYML3R w+auojyT3zM3/3Lb4onunsd18kQMO/FqTurn/2QBWnKjIpKjyLdROfaBCUQ5ASCEL9s/ Nq7vV/OsNDIor7QmOTA9DlVdm3EV9HkKdmRvo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=MshuDAWNjAwjFspfWviVWpTLNsqXLg3xNFDia/P8KeQoFF/LW7IUjrtNk3W+kmCiE9 4WEs1rXjd96lL9jwvERTaxo8cFqDDt4ktLVH0rHr8rHeIlPmVops2B6RYdllaC4skfsu 5UvAUzqHbsGVmNsjYLfsp8Fd8G21cbdyBftz4= MIME-Version: 1.0 Received: by 10.142.9.15 with SMTP id 15mr2708119wfi.235.1274037589659; Sun, 16 May 2010 12:19:49 -0700 (PDT) Received: by 10.142.12.21 with HTTP; Sun, 16 May 2010 12:19:49 -0700 (PDT) In-Reply-To: References: <4BEDB7D4.9020106@metaways.de> <4BEFDA10.4090807@metaways.de> <4BF03D74.6090507@metaways.de> Date: Sun, 16 May 2010 15:19:49 -0400 Message-ID: Subject: Re: [users@httpd] ssl certifikate mismatch From: Eric Covener To: dev@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org top-posting a better summary of the thread: > Listen 10.137.1.104:9901 > > SSLEngine on > SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt > SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key > Include conf/www.aaa.misc > > > Listen 10.137.1.104:9902 > > SSLEngine on > SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt > SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key > Include conf/www.aaa.misc > > > Listen 10.137.1.104:9903 > NameVirtualHost 10.137.1.104:9903 > > Include conf/www.aaa.misc > > openssl s_client -connect 10.137.1.104:9902 > The certificate www.aaa.at was selected. On Sun, May 16, 2010 at 3:14 PM, Eric Covener wrote: > User has a non-NVH on 10.137.1.104:9902 (CN=3Daaa.de)and insists SNI is > choosing the SSL configuration from a different VH that (CN=3Daaa.at) > comes earlier and b) has a matching servername. > > Deck-checking the impl, it sure looks like it's supposed to start w/ > the output of normal ip-based vhosting and only traverse the NVH'es > hung off that matched vh. > > Anyone more familiar with this that can comment to the design or implemen= tation? > > > > ---------- Forwarded message ---------- > From: Reinhard Vicinus > Date: Sun, May 16, 2010 at 2:46 PM > Subject: Re: [users@httpd] ssl certifikate mismatch > To: users@httpd.apache.org > > > >> What's the full apachectl -S look like on that config? >> > > VirtualHost configuration: > 10.137.1.104:9903 =A0 =A0 =A0is a NameVirtualHost > =A0 =A0 =A0 =A0 default server www.aaa.de (/etc/apache2/sites-enabled/tes= t:19) > =A0 =A0 =A0 =A0 port 9903 namevhost www.aaa.de (/etc/apache2/sites-enable= d/test:19) > 10.137.1.104:9901 =A0 =A0 =A0www.aaa.de (/etc/apache2/sites-enabled/test:= 2) > 10.137.1.104:9902 =A0 =A0 =A0www.aaa.de (/etc/apache2/sites-enabled/test:= 10) > Syntax OK > >> What was the local host:port the connection was on? >> > > 10.137.1.104:9902 >> >> What SNI hostname was sent? >> > > I think that 10.137.1.104 was sent, but i'm not sure if any SNI > hostname was sent. I called it like this: openssl s_client -connect > 10.137.1.104:9902 >> >> What certificate was selected? =A0Which certificate do you expect to be >> selected, and why? >> > > The certificate www.aaa.at was selected. I would expect that > www.aaa.de would be selected because the configuration uses ip based > virtual hosting and in the apache documentation it's clearly stated > that only the exact IP address and port pair is used for selecting > virtual hosts by ip based virtual hosting. > > Also this configuration worked with older apache versions. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project= . > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > =A0" =A0 from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > > > > -- > Eric Covener > covener@gmail.com > --=20 Eric Covener covener@gmail.com