httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Httpd Wiki] Update of "CommonMisconfigurations" by TomChiverton
Date Tue, 05 Aug 2014 09:08:40 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The "CommonMisconfigurations" page has been changed by TomChiverton:
https://wiki.apache.org/httpd/CommonMisconfigurations?action=diff&rev1=11&rev2=12

Comment:
SNI is widely deployed, make this section less scary as named based SSL will work for the
vast majority of users

    # SSL options, other options, and stuff defined here.
  </VirtualHost>
  }}}
+ See [[NameBasedSSLVHostsWithSNI]] for a detailed discussion, but in general most web browsers
will work correctly with the above setup, historically Windows XP was the major operating
system it would cause issues with.
+ 
- Because of the nature of SSL, host information isn't used when ''establishing'' an SSL connection.
Apache will always use the certificate of the default virtual host, which is the first defined
virtual host for name-based virtual hosts. While this doesn't mean that you won't ever be
able to access the second virtual host, it does mean your users will always get a certificate
mismatch warning when trying to access some.domain2.com. Read more about this at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
Also, note that the configuration above isn't something someone would normally use for SSL,
which requires a static, non-shared IP address -- !NameVirtualHost 127.124.3.53:80 is a more
likely format. However, using !NameVirtualHost *:443 is common in howtos for Debian/Ubuntu.<<BR>><<BR>>
+ When clients without SNI attempt to connect host information isn't used so Apache will always
use the certificate of the default virtual host, which is the first defined virtual host for
name-based virtual hosts. This means your users will get a certificate mismatch warning when
trying to access some.domain2.com. Read more about this at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2
<<BR>>Also, note that the configuration above isn't something someone would normally
use for SSL, which requires a static, non-shared IP address -- !NameVirtualHost 127.124.3.53:80
is a more likely format. However, using !NameVirtualHost *:443 is common in howtos for Debian/Ubuntu.<<BR>><<BR>>
  
  === Scope ===
  ==== Adding/Restricting access and options in <Directory /> ====

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message