httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Hilton <jeremy-l...@adtcs.com>
Subject Re: [users@httpd] separate certificate per virtual host
Date Thu, 03 Feb 2005 14:11:06 GMT
On 2/3/05 9:05 AM, "Duncan Brannen" <dbb@st-andrews.ac.uk> wrote:

> 
> Not sure if anything's changed but I seem to remember that the SSL
> handshake takes place before
> the virtual host requested is given, so there is no way of knowing which
> server a user wants before
> hand to give them the correct certificate.
> 
> It may be possible to use aliases within the certificate to make it
> valid for multiple hosts but I'm not
> sure how supported or wise that is.
> 
>  Duncan
> 
> 
> Yassen Damyanov wrote:
> 
>> Hi all (my first post to this list):
>> 
>> I could not find any help so far for resolving the following problem:
>> 
>> apache 2.0.52 w/ dynamic virtual hosts (we host a lot of domains, so dynamic
>> virtual hosting is a great relief -- I cannot part with it!)
>> 
>> Need to present a host-specific SSL certificate for each virtual host, so the
>> host name in the certificate matches the virtual host name. How to configure
>> apache to handle this case?
>> 
>> Any help or a pointer to a good reading will be appreciated!
>> Thanks in advance!
>> 
>> Yassen
>> 
>> P.S. the virtual hosting and SSL-related directives of the apache config:
>> 
>> <Directory "/var/www/">
>>    Options FollowSymLinks
>>    Order allow,deny
>>    Allow from all
>> </Directory>
>> <Directory "/var/www/webapps.mydomain.com/htdocs/">
>>    SSLRequireSSL
>> </Directory>
>> UseCanonicalName Off
>> LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
>> vcombined
>> CustomLog "|/usr/sbin/apache2splitlogfile-yd01" vcombined
>> VirtualDocumentRoot /var/www/%0/htdocs
>> VirtualScriptAlias  /var/www/%0/cgi-bin
>> 
>> 
>> <IfDefine SSL>
>>  <IfModule !mod_ssl.c>
>>    LoadModule ssl_module    extramodules/mod_ssl.so
>>  </IfModule>
>> </IfDefine>
>> <IfModule mod_ssl.c>
>> Listen 443
>> <IfModule mod_mime.c>
>> AddType application/x-x509-ca-cert .crt
>> AddType application/x-pkcs7-crl    .crl
>> </IfModule>
>> SSLPassPhraseDialog  builtin
>> SSLSessionCache         shm:/var/cache/apache2/ssl_scache(128000)
>> SSLSessionCacheTimeout  300
>> SSLMutex  file:/var/cache/apache2/ssl_mutex
>> SSLRandomSeed startup builtin
>> SSLRandomSeed connect builtin
>> </IfModule>
>> 
>> 
>> <IfDefine SSL>
>>  <IfModule !mod_ssl.c>
>>    LoadModule ssl_module    extramodules/mod_ssl.so
>>  </IfModule>
>> </IfDefine>
>> <IfModule mod_ssl.c>
>> <VirtualHost _default_:443>
>> DocumentRoot "/var/www/localhost/htdocs"
>> ServerName www.mydomain.com:443
>> ServerAdmin webmaster@mydomain.com
>> ErrorLog logs/ssl_error_log
>> <IfModule mod_log_config.c>
>> TransferLog logs/ssl_access_log
>> </IfModule>
>> SSLEngine on
>> SSLCipherSuite 
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>> SSLCertificateFile /etc/ssl/misc/myCA/certs/httpd-keycert.pem
>> SSLCertificateChainFile /etc/ssl/misc/myCA/myCA-cert.pem
>> <Files ~ "\.(cgi|shtml|phtml|php?)$">
>>    SSLOptions +StdEnvVars
>> </Files>
>> <Directory "/var/www/localhost/cgi-bin">
>>    SSLOptions +StdEnvVars
>> </Directory>
>> <IfModule mod_setenvif.c>
>>    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
>>    downgrade-1.0 force-response-1.0
>> </IfModule>
>> <IfModule mod_log_config.c>
>> CustomLog logs/ssl_request_log \
>>          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>> </IfModule>
>> <IfModule mod_rewrite.c>
>> RewriteEngine On
>> RewriteOptions inherit
>> </IfModule>
>> </VirtualHost>
>> </IfModule>
>> 
>> --- end ---
>> 
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>> 
>> 
>> 
>>  
>> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

It is my understanding that by design, a certificate is only good for one
domain. You can use it for multiple domains, but most clients will alert to
the fact that the certs domainname and the domainname you are trying to
access do not match. This seems to be a measure against fraudulent
activities such as phishing.

Jeremy


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message