httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Axelsen" <li...@frozenpc.net>
Subject RE: [users@httpd] SSL on Virtual Hosts
Date Tue, 28 Oct 2003 23:03:26 GMT
Maybe I should explain the enviroment a little more.  It is ok if it
creates a certificate error.  We are only using a self signed certificate
for the time being.  Our main concern is that we only want ssl active on a
specific virual host.  No matter what i do, we can still access the server
via ssl on an configured VH.

I only want vh.myserver.com to have ssl access.

This is the ssl vh declarition i am trying:

NameVirtualHost *:443
<VirtualHost *:443>
DocumentRoot "/path/to/doc/root"
ServerName vh.myserver.com

ServerAdmin me@me.com
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log combined

SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


>>-----Original Message-----
>>From: Larry McFarlane [mailto:LMcFarlane@tconl.com]
>>Sent: Dienstag, 28. Oktober 2003 13:20
>>To: users@httpd.apache.org
>>Subject: Re: [users@httpd] SSL on Virtual Hosts
>>
>>
>>Won't this generate a certificate alert regardless?  For example, my
>>certificate is set for www.myserver.com.  If I do this for
>>newname.myserver.com, an alert will popup saying my domain
>>doesn't match
>>the domain on the certificate...
>
> Yes it will. Interestingly, the reason it works at all is due only to
> the fortuitous behaviour of apache when faced with a request without a
> Host header...
>
> To explain, if you have (unwittingly) set up several name-based SSL VHs
> then when you request an arbitrary site, the HTTPS request will arrive
> with an encrypted Host header. Apache will therefore default to its
> "what-to-do-if-no-Host" behaviour and will go to the FIRST VH in the
> config to find a cert. It will therefore use the cert from the 1st VH to
> set up the SSL session. This will usually cause a warning such as you
> describe. If you accept the warning and continue, an SSL session will be
> established and thereafter, apache will be able to read the Host headers
> so, oddly enough, the correct website will then be served.
>
> This accidental behaviour sometimes leads people to believe they have
> "solved" the problem of SSL NBVH but, although they have ensured
> encryption and are seeing the right website, they have not ensured
> authentication (as your warning demonstrates).
>
> Encryption is like sending your money to the bank in an armoured car.
> Authentication is making sure the car really does go to the bank...
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>
>>
>>On Mon, 27 Oct 2003 13:26:33 -0800, Roger B.A. Klorese
>><rogerk@queernet.org> wrote:
>>
>>>> I thought that with namebased virtual hosting that all this could be
>>>> accomplished via one ip?
>>>
>>> The encryption is established before the Host: header is
>>passed in order
>>> to
>>> tell the web server which name-based virtual host you want.
>>>
>>> If you use SSL with name-based virtual hosts, the same cert and name
>>> will be
>>> used for all hosts on that IP address.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>>--
>>Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
> This e-mail is of a private and personal nature. It is not related to
> the exchange or business activities of the SWX Swiss Exchange. Le
> présent e-mail est un message privé et personnel, sans rapport avec
> l'activité boursière de la SWX Swiss Exchange.
>
>
>>
>
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
> If you receive this message in error, please notify the sender urgently
> and then immediately delete the message and any copies of it from your
> system. Please also immediately destroy any hardcopies of the message.
> You must not, directly or indirectly, use, disclose, distribute, print,
> or copy any part of this message if you are not the intended recipient.
> The sender's company reserves the right to monitor all e-mail
> communications through their networks. Any views expressed in this
> message are those of the individual sender, except where the message
> states otherwise and the sender is authorised to state them to be the
> views of the sender's company.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


--
Aaron Axelsen
aim: aaak2
email: axelseaa@amadmax.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message