httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastien Roy <Apa...@PointPub.NET>
Subject Re: [users@httpd] VHOST and SSL
Date Thu, 07 Jun 2007 20:23:29 GMT
Hi Allen

What currently happens is the certificate error and it's point to the 
first vhost using SSL and what I want to happen is no answer at all from 
port 443 on that vhost.  So I think I will configure an another IP just 
for SSL!

Thanks!


Allen Pulsifer wrote:
> Hello Sebastien,
>
> Short answer: the host running HTTPS must have a dedicated IP address.
>
> Long answer: when a client connects to the server at port 443, the first
> thing they will do is an SSL handshake.  This happens even before the client
> sends its HTTPS request with the url and Host header.  Therefore, during
> this handshake, the server has no idea what vhost the client wants to
> connect to, and the server will send the only certificate it has for that IP
> address.  The client will then report a certificate hostname mismatch error.
> This again happens even before the client sends the HTTPS request.  If the
> client attempts to continue with the connection and sends the HTTPS request
> with the URL and Host header, what happens at that point is up to the
> server.  What currently happens and what do you want to happen?
>
> Allen
>
>   
>> -----Original Message-----
>> From: Sebastien Roy [mailto:Apache@PointPub.NET] 
>> Sent: Thursday, June 07, 2007 3:41 PM
>> To: users@httpd.apache.org
>> Subject: [users@httpd] VHOST and SSL
>>
>>
>> Hi folks,
>>
>> We are running Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8b DAV/2 
>> PHP/5.1.4 and everything is working perfectly except one 
>> thing and I'm 
>> sure it's a configuration problem.  We have some domains that 
>> have SSL 
>> certificate and some not.  My problem is very simple, what i'm doing 
>> wrong if every vhost works using https and use the same certificate.  
>> What I need is that for exemple https://www.mydomain.com works with 
>> mydomain.com certificate but that https://www.myotherdom.com is not 
>> answering 'cause the SSL is only applied to mydomain.com!
>>
>> Right now every vhost is answering to SSL request.  The config looks 
>> like that:
>>
>> NameVirtualHost x.x.x.x:80
>> NameVirtualHost x.x.x.x:443
>>
>> <VirtualHost x.x.x.x:443>
>>     ServerAdmin webmaster@mydomain.com
>>     ServerName www.mydomain.com
>>     DocumentRoot /services/mydomain.com
>>     CustomLog /services/www-logs/mydomain.com.log combined
>>
>> SSLEngine on
>> SSLCipherSuite 
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>> SSLCertificateFile /opt/Apache/2.2.3/conf/www.mydomain.com.crt
>> SSLCertificateKeyFile /opt/Apache/2.2.3/conf/www.mydomain.com.key
>> SSLCACertificateFile /opt/Apache/2.2.3/conf/SSLCA.crt
>>
>> <FilesMatch "\.(cgi|shtml|phtml|php)$">
>>     SSLOptions +StdEnvVars
>> </FilesMatch>
>> <Directory "/opt/Apache/2.2.3/cgi-bin">
>>     SSLOptions +StdEnvVars
>> </Directory>
>>
>> BrowserMatch ".*MSIE.*" \
>>          nokeepalive ssl-unclean-shutdown \
>>          downgrade-1.0 force-response-1.0
>> </VirtualHost>
>>
>> <VirtualHost x.x.x.x:80>
>>         ServerAdmin webmaster@otherdomain.com
>>         ServerName www.otherdomain.com
>>         ServerAlias otherdomain.com
>>         DocumentRoot /services/otherdomain.com
>>         CustomLog /services/www-logs/otherdomain.com.log 
>> combined </VirtualHost>
>>
>>
>> And my other question is how to replace
>>
>> <VirtualHost x.x.x.x:80>
>>         ServerAdmin webmaster@otherdomain.com
>>         ServerName www.otherdomain.com
>>         ServerAlias otherdomain.com
>>         DocumentRoot /services/otherdomain.com
>>         CustomLog /services/www-logs/otherdomain.com.log 
>> combined </VirtualHost>
>>
>>
>> with something like that:
>>
>> <VirtualHost x.x.x.x:80>
>>         ServerAdmin webmaster@$0
>>         ServerName www.$0
>>         ServerAlias $0
>>         DocumentRoot /services/$0
>>         CustomLog /services/www-logs/$0.log combined </VirtualHost>
>>
>>
>> Thanks
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP 
>> Server Project. See 
>> <URL:http://httpd.apache.org/userslist.html> for more info. 
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>     
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>   

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message