httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reinhard Vicinus <r.vici...@metaways.de>
Subject Re: [users@httpd] ssl certifikate mismatch
Date Sun, 16 May 2010 11:42:08 GMT
On 14/05/10 23:08, Eric Covener wrote:
> On Fri, May 14, 2010 at 4:51 PM, Reinhard Vicinus<r.vicinus@metaways.de>  wrote:
>    
>> Hi,
>>
>> is the following behaviour of apache 2.2.15 (debian unstable) a feature or a
>> bug?
>>
>> Listen 10.0.0.1:81
>> <VirtualHost 10.0.0.1:81>
>>   SSLEngine on
>>   SSLCertificateFile /etc/apache2/conf/aaa.crt
>>   SSLCertificateKeyFile /etc/apache2/conf/aaa.key
>>
>>   ServerName aaa
>> </VirtualHost>
>>
>> Listen 10.0.0.2:81
>> <VirtualHost 10.0.0.2:81>
>>   SSLEngine on
>>   SSLCertificateFile /etc/apache2/conf/bbb.crt
>>   SSLCertificateKeyFile /etc/apache2/conf/bbb.key
>>
>>   ServerName aaa
>> </VirtualHost>
>>
>>
>>      
>>> curl https://bbb:81
>>>        
>>   SSL: certificate subject name 'aaa' does not match target host name 'bbb'
>>
>>      
>>> curl https://10.0.0.2:81
>>>        
>>   SSL: certificate subject name 'aaa' does not match target host name
>> '10.0.0.2'
>>
>> if i remove or change the ServerName directive so that they differ then it
>> works as expected and certificate bbb is returned. If i switch the order of
>> the virtual host configuration certificate bbb is also used if i query
>> 10.0.0.1:81.
>>
>>      
> SNI finds the right name-based vhost based on the normal name-based
> mechanisms (ServerName/ServerAlias), then uses the cert it finds there
> -- it doesn't find the right vhost by looking at your certificates.
>
>    
My problem ist that SNI breaks my in older apaches working configuration 
which looked like this:

Listen 10.137.1.104:9901
<VirtualHost 10.137.1.104:9901>
   SSLEngine on
   SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt
   SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key
   Include conf/www.aaa.misc
</VirtualHost>

Listen 10.137.1.104:9902
<VirtualHost 10.137.1.104:9902>
   SSLEngine on
   SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt
   SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key
   Include conf/www.aaa.misc
</VirtualHost>

Listen 10.137.1.104:9903
NameVirtualHost 10.137.1.104:9903
<VirtualHost 10.137.1.104:9903>
   Include conf/www.aaa.misc
</VirtualHost>

www.aaa.misc:
ServerName www.aaa.de
ServerAlias www.aaa.at

In my opinion SNI misuses the ServerName/ServerAlias directives, because 
in the documentation it is clearly stated: "Unless a NameVirtualHost 
directive is used for the exact IP address and port pair in the 
VirtualHost directive, Apache selects the best match only on the basis 
of the IP address (or wildcard) and port number." 
(http://httpd.apache.org/docs/2.2/vhosts/details.html) and therefore 
it's a bug.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message