httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Duncan Brannen <...@st-andrews.ac.uk>
Subject Re: [users@httpd] separate certificate per virtual host
Date Thu, 03 Feb 2005 14:05:13 GMT

Not sure if anything's changed but I seem to remember that the SSL 
handshake takes place before
the virtual host requested is given, so there is no way of knowing which 
server a user wants before
hand to give them the correct certificate.

It may be possible to use aliases within the certificate to make it 
valid for multiple hosts but I'm not
sure how supported or wise that is.

   Duncan


Yassen Damyanov wrote:

>Hi all (my first post to this list):
>
>I could not find any help so far for resolving the following problem:
>
>apache 2.0.52 w/ dynamic virtual hosts (we host a lot of domains, so dynamic virtual hosting
is a great relief -- I cannot part with it!)
>
>Need to present a host-specific SSL certificate for each virtual host, so the host name
in the certificate matches the virtual host name. How to configure apache to handle this case?
>
>Any help or a pointer to a good reading will be appreciated!
>Thanks in advance!
>
>Yassen
>
>P.S. the virtual hosting and SSL-related directives of the apache config:
>
><Directory "/var/www/">
>    Options FollowSymLinks
>    Order allow,deny
>    Allow from all
></Directory>
><Directory "/var/www/webapps.mydomain.com/htdocs/">
>    SSLRequireSSL
></Directory>
>UseCanonicalName Off
>LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined
>CustomLog "|/usr/sbin/apache2splitlogfile-yd01" vcombined
>VirtualDocumentRoot /var/www/%0/htdocs
>VirtualScriptAlias  /var/www/%0/cgi-bin
>
>
><IfDefine SSL>
>  <IfModule !mod_ssl.c>
>    LoadModule ssl_module    extramodules/mod_ssl.so
>  </IfModule>
></IfDefine>
><IfModule mod_ssl.c>
>Listen 443
><IfModule mod_mime.c>
>AddType application/x-x509-ca-cert .crt
>AddType application/x-pkcs7-crl    .crl
></IfModule>
>SSLPassPhraseDialog  builtin
>SSLSessionCache         shm:/var/cache/apache2/ssl_scache(128000)
>SSLSessionCacheTimeout  300
>SSLMutex  file:/var/cache/apache2/ssl_mutex
>SSLRandomSeed startup builtin
>SSLRandomSeed connect builtin
></IfModule>
>
>
><IfDefine SSL>
>  <IfModule !mod_ssl.c>
>    LoadModule ssl_module    extramodules/mod_ssl.so
>  </IfModule>
></IfDefine>
><IfModule mod_ssl.c>
><VirtualHost _default_:443>
>DocumentRoot "/var/www/localhost/htdocs"
>ServerName www.mydomain.com:443
>ServerAdmin webmaster@mydomain.com
>ErrorLog logs/ssl_error_log
><IfModule mod_log_config.c>
>TransferLog logs/ssl_access_log
></IfModule>
>SSLEngine on
>SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>SSLCertificateFile /etc/ssl/misc/myCA/certs/httpd-keycert.pem
>SSLCertificateChainFile /etc/ssl/misc/myCA/myCA-cert.pem
><Files ~ "\.(cgi|shtml|phtml|php?)$">
>    SSLOptions +StdEnvVars
></Files>
><Directory "/var/www/localhost/cgi-bin">
>    SSLOptions +StdEnvVars
></Directory>
><IfModule mod_setenvif.c>
>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
>    downgrade-1.0 force-response-1.0
></IfModule>
><IfModule mod_log_config.c>
>CustomLog logs/ssl_request_log \
>          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
></IfModule>
><IfModule mod_rewrite.c>
>RewriteEngine On
>RewriteOptions inherit
></IfModule>
></VirtualHost>
></IfModule>
>
>--- end ---
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>  
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message