httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Gingras <francois.ging...@gmail.com>
Subject Re: [users@httpd] SSL/SNI configuration oddity
Date Tue, 08 Jun 2010 17:48:46 GMT
On 08/06/2010 1:46 PM, Adkins, Marc wrote:
> I'm trying to configure multiple named virtual hosts with SSL using SNI.
> I believe that I'm running the latest versions of the software, and that
> SNI is built into it (as the first line apparently demonstrates):
>
>      [Tue Jun 08 05:19:42 2010] [warn]
>          Init: Name-based SSL virtual hosts only work for clients
>                with TLS server name indication support (RFC 4366)
>      [Tue Jun 08 05:19:42 2010] [info]
>          mod_ssl/2.2.14 compiled against
>              Server: Apache/2.2.14,
>              Library: OpenSSL/0.9.8k
>      [Tue Jun 08 05:19:42 2010] [notice]
>              Apache/2.2.14 (Ubuntu)
>              mod_ssl/2.2.14
>              OpenSSL/0.9.8k
>              mod_perl/2.0.4
>              Perl/v5.10.1
>          configured -- resuming normal operations
>
> The following doesn't work right:
>
>      <VirtualHost *:80 *:443>
>          ServerName          host.alpha.tld
>          DocumentRoot        /var/www/htdocs/alpha
>
>          SSLEngine               on
>          SSLCertificateFile      ${WEB_CERT}/star.alpha.crt
>          SSLCertificateKeyFile   ${WEB_CERT}/star.alpha.key
>          SSLProtocol             all -SSLv2
>          ...
>      </VirtualHost>
>
>      <VirtualHost *:80 *:443>
>          ServerName          host.bravo.tld
>          DocumentRoot        /var/www/htdocs/bravo
>
>          SSLEngine               on
>          SSLCertificateFile      ${WEB_CERT}/star.bravo.crt
>          SSLCertificateKeyFile   ${WEB_CERT}/star.bravo.key
>          SSLProtocol             all -SSLv2
>          ...
>      </VirtualHost>
>
> It's kind of odd.  The HTTPS site will connect just fine.  The HTTP site
> just returns my custom error page.  None of my trace statements in the
> mod_perl handler fire for the original page, just for the error page.
> So mod_perl isn't seeing it, whatever is happening is in the Apache core.
>
> In addition, I get this:
>
>      [Tue Jun 08 17:30:24 2010] [info]
>          [client ###.###.###.###] Connection to child 5 established
>              (server test.alpha.org:443)
>      [Tue Jun 08 17:30:24 2010] [info]
>          Seeding PRNG with 648 bytes of entropy
>      [Tue Jun 08 17:30:24 2010] [info]
>          [client 97.126.76.90] SSL handshake failed:
>              HTTP spoken on HTTPS port; trying to send HTML error page
>      [Tue Jun 08 17:30:24 2010] [info]
>          SSL Library Error: 336027804
>              error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:
>              http request speaking HTTP to HTTPS port!?
>
> which suggests that I'm connecting on port 443 using HTTP which failed.
> But I'm not, I'm going to the HTTP site which should be on port 80.
>
> I've tried this using Firefox 3.6, wget, and telnet to port 80.  It all
> happens the same way.  So it isn't the client side, it's definitely in
> the server (or its configuration).
>
> When I turn SSLEngine from 'on' to 'optional' the HTTP site works and the
> HTTPS site fails with message:
>
>      SSL received a record that exceeded the maximum permissible length.
>
> (not my custom error page).  In the Apache 2.2 documentation for mod_ssl
> is stated:
>
>      enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1.
>      At this time no web browsers support RFC 2817.
>
> A little online searching suggests that Firefox does not.  I didn't
> keep searching after that.
>
> OK, after some trial and error, here's something that WORKS:
>
>      <VirtualHost *:80>
>          ServerName          host.alpha.tld:80
>          DocumentRoot        /var/www/htdocs/alpha
>          ...
>      </VirtualHost>
>
>      <VirtualHost *:443>
>          ServerName          host.alpha.tld:443
>          DocumentRoot        /var/www/htdocs/alpha
>
>          SSLEngine               on
>          SSLCertificateFile      ${WEB_CERT}/star.alpha.crt
>          SSLCertificateKeyFile   ${WEB_CERT}/star.alpha.key
>          SSLProtocol             all -SSLv2
>          ...
>      </VirtualHost>
>
> Note that these are both the FIRST virtual host, with separate ports,
> so there would be two more virtual host blocks.  In each case this means
> duplication of the contents of the original virtual host so that there
> are two nearly identical ones, which is unpleasant for maintenance.
>
> I can't help thinking that what I want to do is not so weird and that
> it should work.  Therefore I think I'm looking for some magic cookie
> for the configuration file.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html>  for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>    

Marc,

You can't serve HTTP and HTTPS content from the same vhost.

You can use the Include directive to reduce clutter.

Frank.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message