httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@apache.org>
Subject Re: [users@httpd] HTTPD and SSL Certs
Date Fri, 09 Mar 2007 19:37:53 GMT
Ian,

On Mar 9, 2007, at 11:01 AM, Ian Johnson wrote:

> Is there anyone out there that can answer the following set of
> questions for me (or point me to where I may find the information)?

If you're in Europe, you may consider attending my Practical SSL  
Implementation with Apache Training at ApacheCon EU 2007:

http://www.eu.apachecon.com/program/talk/120

> Any and all help/responses is greatly appreciated.
>
> While setting up ssl and apache 2 employing name servers I noticed
> that you may only have one cert per httpd server rather than, what I
> would consider desired, one per name.

You need to run every SSL-enabled virtual host on its own IP  
address.  This is necessary because the SSL handshake happens before  
the HTTP request (and its Host: header which drives name-based  
virtual hosting) is available to the server, and Apache needs to  
present the correct certificate for the server name under consideration.

> Be that as it may, having set up a self signed cert, I am getting
> certificate validation error that I don't believe I should be getting.
> That is:
>
> "Could not verify this certificate for unknown reasons"

What are you using for a client? A self-signed certificate cannot be  
verified by the browser unless you install that certificate in your  
browser's SSL certificate store as a trusted cert. You will get  
either of these errors, or both:

1) Your browser doesn't trust the certificate because it doesn't know  
the entity that issued it (which in your case is the certificate itself)

2) The browser connected to hostname A, but got a certificate for  
hostname B. This ties back to the issue you raised above: SSL hosts  
need to have their own IP, and for the browser to make the correct  
connection these need to resolve correctly in your DNS.

> My Questions then:
>
> 1.  Is there something wrong with my cert?

 From the above error message above, it's impossible to tell. I'll  
take a wild guess and say that your certificate is fine. Do make sure  
that the cert matches the private key:

$ openssl x509 -in yourcert.pem -noout -modulus | openssl md5
$ openssl rsa  -in yourkey.pem  -noout -modulus | openssl md5

should yield the same output. You should also be able to connect to  
the server by running openssl s_client -connect yourserver:443, type  
an HTTP request and get an HTTP response.

> 2.  Must my cert be signed by a registered authority to be  
> considered valid?

Yes, it has to be signed by an authority that your browser recognizes  
as valid.  Note that you can install your own authority (the cert  
itself if you have self-signed) in your browser as trusted entity.

If your site is an internal website and you have control over all  
your clients, you can install your own CA cert on those machines and  
be done. If your website is accessible to the general public and you  
don't want to saddle them with the burden of clicking through dialogs  
or installing your CA cert, give money to a CA already recognized by  
your users' browsers.

> 3.  What verifications are actually performed?

Depends on the client, but the following checks are generally performed:

1) Validity period of the certificate against the client system clock

2) Hostname to which the client connected vs. the Common Name (CN)
    attribute of the certificate Subject.  This is why your DNS records
    need to be in place and your server needs to present the correct
    certificate for a particular IP address

3) Certificate signature and chain of authority as presented by the
    server against the root CA certificates stored by the client or
    operating system

4) The client could check a Certificate Revocation List (CRL) or Online
    Certificate Status Protocol (OCSP) server to see whether the  
certificate
    is revoked, but no browser generally deployed in the field today  
does
    this by default.

> When using the 'testing purposes' cert that installs with the app I do
> not get this message.

I can't speak to your application or its installation, since you  
don't tell us what they are.

Hope the above gives you some idea of what is going wrong.

S.

-- 
sctemme@apache.org            http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/




Mime
View raw message