httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] ssl certifikate mismatch
Date Sun, 16 May 2010 16:37:07 GMT
> My problem ist that SNI breaks my in older apaches working configuration
> which looked like this:
>
> Listen 10.137.1.104:9901
> <VirtualHost 10.137.1.104:9901>
>  SSLEngine on
>  SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt
>  SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key
>  Include conf/www.aaa.misc
> </VirtualHost>
>
> Listen 10.137.1.104:9902
> <VirtualHost 10.137.1.104:9902>
>  SSLEngine on
>  SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt
>  SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key
>  Include conf/www.aaa.misc
> </VirtualHost>
>
> Listen 10.137.1.104:9903
> NameVirtualHost 10.137.1.104:9903
> <VirtualHost 10.137.1.104:9903>
>  Include conf/www.aaa.misc
> </VirtualHost>
>
> www.aaa.misc:
> ServerName www.aaa.de
> ServerAlias www.aaa.at
>
> In my opinion SNI misuses the ServerName/ServerAlias directives, because in
> the documentation it is clearly stated: "Unless a NameVirtualHost directive
> is used for the exact IP address and port pair in the VirtualHost directive,
> Apache selects the best match only on the basis of the IP address (or
> wildcard) and port number."
> (http://httpd.apache.org/docs/2.2/vhosts/details.html) and therefore it's a
> bug.


What's the full apachectl -S look like on that config?

What was the local host:port the connection was on?

What SNI hostname was sent?

What certificate was selected?  Which certificate do you expect to be
selected, and why?


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message