httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorgen Lundman <lund...@lundman.net>
Subject Re: [users@httpd] TLS SNI with user certificates.
Date Tue, 29 Jan 2008 03:44:57 GMT


As a quick hack, I setup the normal vhost to have a certificate 1 (it 
has to have one defined to even start after all) then patch 
set_ssl_vhost() to load a different "ctx" certificate 2. I would leak 
context like crazy, but as a quick proof-of-concept it would tell me if 
it is feasible.

         strcasecmp(servername, "www.example.com")) {
         SSL_CTX *ctx;
         int status;

         found = TRUE;
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "example patch: 
loading");

         ctx = SSL_CTX_new(SSLv23_method());
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "new ctx %p", ctx);
         status = SSL_CTX_use_certificate_file(ctx,
                         "/etc/certs/www.example.com.pem", 
X509_FILETYPE_PEM);
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "loaded pem file %d", 
status);

         if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
             return 0;
         if (!(sc = mySrvConfig(s)))
             return 0;
         sc->server->ssl_ctx = ctx;
         SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx);
         SSL_CTX_set_app_data(ctx, s);
         return 1;
     }


The last few lines, I have tried a few combinations in my attempt to 
make it work. I get the following output however:


[Tue Jan 29 12:23:38 2008] [error] Called set_ssl_vhost with 
'www.example.jp'
[Tue Jan 29 12:23:38 2008] [error] example patch: loading
[Tue Jan 29 12:23:38 2008] [error] new ctx
[Tue Jan 29 12:23:38 2008] [error] loaded pem file 1
[Tue Jan 29 12:23:38 2008] [error] Re-negotiation handshake failed: Not 
accepted by client!?


And Seamonkey says: "the site uses a security protocol that isn't enabled".


Am I trying to patch it in too late in the game?, has it already sent 
part of the vhost certificate1 before the example.com certificate2?

If I create a vhost with example.com, and example.com.pem certificate2, 
as well as the default vhost, both certificates work and loads 
correctly. It is my hack that breaks things, I am not sure how much of 
apache's framework I need to conform to.






Jorgen Lundman wrote:
> 
> What is the state with TLS/SNI at the moment? We are exploring offering 
> SSL certificates to users, and in a perfect world we would like to keep 
> our httpd.conf free of provisioning.
> 
> Apache 2.2.0
> OpenSSL-0.9.8e
> 
> At the moment, all users' vhosts are defined as:
> 
> <VirtualHost *:80>
>     VirtualDocumentRoot "/export/nfs/www/%-1/%-2.-1/%-2.-2/%-2+/"
> 
> So a request for http://www.example.com/$path would translate as 
> /export/nfs/www/com/e/l/www.example/$path
> 
> If that directory exists it is served.
> 
> What would be ideal is if a user had a certificate as:
> 
> /export/nfs/www/com/e/l/www.example/.certificate
> 
> Then SSL TLS/SNI would use it and "everything would just work".
> (Minus Safari, and Konquerer from our current tests)
> 
> 
> 
> Possible right now ? Possible if I add a little code?
> 
> Lundy
> 
> 

-- 
Jorgen Lundman       | <lundman@lundman.net>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message