httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorgen Lundman <>
Subject Re: [users@httpd] TLS SNI with user certificates.
Date Tue, 29 Jan 2008 03:44:57 GMT

As a quick hack, I setup the normal vhost to have a certificate 1 (it 
has to have one defined to even start after all) then patch 
set_ssl_vhost() to load a different "ctx" certificate 2. I would leak 
context like crazy, but as a quick proof-of-concept it would tell me if 
it is feasible.

         strcasecmp(servername, "")) {
         SSL_CTX *ctx;
         int status;

         found = TRUE;
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "example patch: 

         ctx = SSL_CTX_new(SSLv23_method());
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "new ctx %p", ctx);
         status = SSL_CTX_use_certificate_file(ctx,
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "loaded pem file %d", 

         if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
             return 0;
         if (!(sc = mySrvConfig(s)))
             return 0;
         sc->server->ssl_ctx = ctx;
         SSL_CTX_set_app_data(ctx, s);
         return 1;

The last few lines, I have tried a few combinations in my attempt to 
make it work. I get the following output however:

[Tue Jan 29 12:23:38 2008] [error] Called set_ssl_vhost with 
[Tue Jan 29 12:23:38 2008] [error] example patch: loading
[Tue Jan 29 12:23:38 2008] [error] new ctx
[Tue Jan 29 12:23:38 2008] [error] loaded pem file 1
[Tue Jan 29 12:23:38 2008] [error] Re-negotiation handshake failed: Not 
accepted by client!?

And Seamonkey says: "the site uses a security protocol that isn't enabled".

Am I trying to patch it in too late in the game?, has it already sent 
part of the vhost certificate1 before the certificate2?

If I create a vhost with, and certificate2, 
as well as the default vhost, both certificates work and loads 
correctly. It is my hack that breaks things, I am not sure how much of 
apache's framework I need to conform to.

Jorgen Lundman wrote:
> What is the state with TLS/SNI at the moment? We are exploring offering 
> SSL certificates to users, and in a perfect world we would like to keep 
> our httpd.conf free of provisioning.
> Apache 2.2.0
> OpenSSL-0.9.8e
> At the moment, all users' vhosts are defined as:
> <VirtualHost *:80>
>     VirtualDocumentRoot "/export/nfs/www/%-1/%-2.-1/%-2.-2/%-2+/"
> So a request for$path would translate as 
> /export/nfs/www/com/e/l/www.example/$path
> If that directory exists it is served.
> What would be ideal is if a user had a certificate as:
> /export/nfs/www/com/e/l/www.example/.certificate
> Then SSL TLS/SNI would use it and "everything would just work".
> (Minus Safari, and Konquerer from our current tests)
> Possible right now ? Possible if I add a little code?
> Lundy

Jorgen Lundman       | <>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message