httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allen Pulsifer" <pulsif...@comcast.net>
Subject RE: [users@httpd] VHOST and SSL
Date Thu, 07 Jun 2007 20:00:17 GMT
Hello Sebastien,

Short answer: the host running HTTPS must have a dedicated IP address.

Long answer: when a client connects to the server at port 443, the first
thing they will do is an SSL handshake.  This happens even before the client
sends its HTTPS request with the url and Host header.  Therefore, during
this handshake, the server has no idea what vhost the client wants to
connect to, and the server will send the only certificate it has for that IP
address.  The client will then report a certificate hostname mismatch error.
This again happens even before the client sends the HTTPS request.  If the
client attempts to continue with the connection and sends the HTTPS request
with the URL and Host header, what happens at that point is up to the
server.  What currently happens and what do you want to happen?

Allen

> -----Original Message-----
> From: Sebastien Roy [mailto:Apache@PointPub.NET] 
> Sent: Thursday, June 07, 2007 3:41 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] VHOST and SSL
> 
> 
> Hi folks,
> 
> We are running Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8b DAV/2 
> PHP/5.1.4 and everything is working perfectly except one 
> thing and I'm 
> sure it's a configuration problem.  We have some domains that 
> have SSL 
> certificate and some not.  My problem is very simple, what i'm doing 
> wrong if every vhost works using https and use the same certificate.  
> What I need is that for exemple https://www.mydomain.com works with 
> mydomain.com certificate but that https://www.myotherdom.com is not 
> answering 'cause the SSL is only applied to mydomain.com!
> 
> Right now every vhost is answering to SSL request.  The config looks 
> like that:
> 
> NameVirtualHost x.x.x.x:80
> NameVirtualHost x.x.x.x:443
> 
> <VirtualHost x.x.x.x:443>
>     ServerAdmin webmaster@mydomain.com
>     ServerName www.mydomain.com
>     DocumentRoot /services/mydomain.com
>     CustomLog /services/www-logs/mydomain.com.log combined
> 
> SSLEngine on
> SSLCipherSuite 
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /opt/Apache/2.2.3/conf/www.mydomain.com.crt
> SSLCertificateKeyFile /opt/Apache/2.2.3/conf/www.mydomain.com.key
> SSLCACertificateFile /opt/Apache/2.2.3/conf/SSLCA.crt
> 
> <FilesMatch "\.(cgi|shtml|phtml|php)$">
>     SSLOptions +StdEnvVars
> </FilesMatch>
> <Directory "/opt/Apache/2.2.3/cgi-bin">
>     SSLOptions +StdEnvVars
> </Directory>
> 
> BrowserMatch ".*MSIE.*" \
>          nokeepalive ssl-unclean-shutdown \
>          downgrade-1.0 force-response-1.0
> </VirtualHost>
> 
> <VirtualHost x.x.x.x:80>
>         ServerAdmin webmaster@otherdomain.com
>         ServerName www.otherdomain.com
>         ServerAlias otherdomain.com
>         DocumentRoot /services/otherdomain.com
>         CustomLog /services/www-logs/otherdomain.com.log 
> combined </VirtualHost>
> 
> 
> And my other question is how to replace
> 
> <VirtualHost x.x.x.x:80>
>         ServerAdmin webmaster@otherdomain.com
>         ServerName www.otherdomain.com
>         ServerAlias otherdomain.com
>         DocumentRoot /services/otherdomain.com
>         CustomLog /services/www-logs/otherdomain.com.log 
> combined </VirtualHost>
> 
> 
> with something like that:
> 
> <VirtualHost x.x.x.x:80>
>         ServerAdmin webmaster@$0
>         ServerName www.$0
>         ServerAlias $0
>         DocumentRoot /services/$0
>         CustomLog /services/www-logs/$0.log combined </VirtualHost>
> 
> 
> Thanks
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project. See 
> <URL:http://httpd.apache.org/userslist.html> for more info. 
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message