httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Issac Goldstand <mar...@beamartyr.net>
Subject Re: [users@httpd] Request for Input: ApacheCon SSL Training
Date Mon, 19 Mar 2007 10:14:38 GMT
Wildcard support shouldn't have to be official, because there *is*
name-based virtualhost support for SSL.  It's well documented in RFC
2817 and 2818 and according to the cipher list, is supported by most
recent versions of mod_ssl in Apache 2.x

If you want to push "how to better allow for name-based SSL", it
shouldn't be to find more workarounds - it should be about how to get
the existing standards into more servers and browsers and make their use
a standard practice.

Just my $0.02,
   Issac


Chirouze Olivier wrote:
> Hi,
>
> I'm sorry I always insist on wildcard certificates being not officialy
> supported by Apache, but I think that's something to know about. You can
> save a bunch of dollars a year with this trick ;-)
>
> Here's what I recently wrote for a doc, feel free to correct me if I'm
> wrong:
>
> ------------------------------------------------------------------------
> ------------------------------------
> Name based virtual hosting is not officially compatible with HTTPS.
>
> The reason is:
> 1)	the request received by Apache is encrypted: only the source and
> destination IP addresses can be read by Apache (it is in the TCP header,
> not the encrypted HTTP request)
> 2)	for this reason, when using name based virtual host, no virtual
> host can be associated with the HTTPS request
> 3)	by default, the first SSLCertificateFile directive found is
> used: the first SSL certificate found is used
>
> However, if a single "wildcard" certificate is used by all virtual hosts
> on the same IP, then:
> 4)	the first certificate found is correct
> 5)	the request can be decrypted
> 6)	the server name can now be read and the right virtual host is
> found
> 7)	the rest of the process is similar to normal HTTP
>
> A few consequences:
> -	it only works because all the virtual hosts on the same IP use
> the same SSL certificate
> -	because they are virtual hosts with different names (hence the
> "name based"), the certificate can only be a "wildcard" certificate...
> -	when using this "unsupported feature" it is very important to
> make it clear that the virtual hosts use the same certificate => for
> example, move the "SSLCertificateFile" directive in a file and include
> it in all your virtual hosts. Then a change in this file will clearly
> affect all your virtual hosts.
>
> Very logically, wildcard certificates aren't officially supported by
> Apache either.
>
> Apache, when starting up, compares the server name of the SSL
> certificate with the configuration (virtual host) server name.
> Thus, when using a wildcard certificate, you will get such a warning at
> startup:
>
> [Fri Jul 21 13:40:10 2006] [warn] RSA server certificate CommonName (CN)
> `*.myserver.com' does NOT match server name!?
>
> See:
> -
> http://mail-archives.apache.org/mod_mbox/httpd-bugs/200512.mbox/%3C20051
> 214183548.6B3CC184@ajax.apache.org%3E
> -	http://www.lists.aldigital.co.uk/apache-ssl/msg03957.html
>
> Reference: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>
> ------------------------------------------------------------------------
> ------------------------------------
>
> I'd be proud if I can help for ApacheCon ;-)
>
> Olivier
>
> Olivier CHIROUZE
> I&0 Infrastructure
> Volvo Information Technology
>  
>
>   
>> -----Original Message-----
>> From: Vincent Bray [mailto:noodlet@gmail.com] 
>> Sent: 19 March 2007 10:09
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] Request for Input: ApacheCon SSL Training
>>
>> On 19/03/07, Sander Temme <sctemme@apache.org> wrote:
>>     
>>> Dear list,
>>>
>>> As I prepare my training session title "Practical SSL Implementation
>>> with Apache" for the upcoming ApacheCon EU conference, I would like
>>> to take a moment and request your feedback.
>>>       
>> #apache on freenode commonly sees quesions from people confused by the
>> various certificate formats and by the openssl command (hardly
>> surprising considering its man page). Perhaps some coverage of the
>> difference between pem/der/crt/whatever, and maybe ways to
>> validate/convert those formats?
>>
>> I can't attend the conference but I hope it turns out well, 
>> good luck :)
>>
>> -- 
>> noodl
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP 
>> Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>     
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>   


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message