Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D273B90C3 for ; Fri, 11 May 2012 20:12:25 +0000 (UTC) Received: (qmail 66738 invoked by uid 500); 11 May 2012 20:12:22 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 66709 invoked by uid 500); 11 May 2012 20:12:22 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 66701 invoked by uid 99); 11 May 2012 20:12:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 May 2012 20:12:22 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [24.120.116.144] (HELO neutrino.seowebsales.com) (24.120.116.144) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 May 2012 20:12:17 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by neutrino.seowebsales.com (Postfix) with ESMTP id 3744B500971 for ; Fri, 11 May 2012 13:11:56 -0700 (PDT) X-Virus-Scanned: by amavisd-new 2.6.4 using ClamAV at mail.seowebsales.com Received: from neutrino.seowebsales.com ([127.0.0.1]) by localhost (mail.seowebsales.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vP0efeOF-nae for ; Fri, 11 May 2012 13:11:54 -0700 (PDT) Received: from [192.168.17.4] (unknown [192.168.17.1]) by neutrino.seowebsales.com (Postfix) with ESMTPSA id DEEFF500338 for ; Fri, 11 May 2012 13:11:53 -0700 (PDT) Date: Fri, 11 May 2012 13:10:46 -0700 From: Reg Organization: SEO Web Sales X-Priority: 3 (Normal) Message-ID: <1681376045.20120511131046@seowebsales.com> To: users@httpd.apache.org In-Reply-To: <1336766636.43305.ezmlm@httpd.apache.org> References: <1336766636.43305.ezmlm@httpd.apache.org> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----------A4171EA2052CF69" X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Problem with Multiple VirtualHosts with SSL using Named Virtual Hosts (SNI) ------------A4171EA2052CF69 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable I've setup Apache to handle named Virtual Hosts with SSL however there is s= omething I am missing because it doesn't work. This is my first time trying= multiple SSL hosting however I have had one SSL domain working for years o= n this server. The certificates check out because if I comment out the section for domain1= .com then domain2.com works perfectly in the browser, i.e.: no warning mess= age and straight into https://www.domain2.com seamlessly. Of course domain1= .com gives the "untrusted certificate" warning since it's the wrong certifi= cate the browser is getting. When I uncomment the lines for domain1.com then domain1.com will work seaml= essly as domain2.com did but now domain2.com will give the "untrusted certi= ficate" warning in the browser so Apache is defaulting the first certificat= e it finds to serve up the browser. I can't find anymore to do to make this work so I'm hoping someone who has= made this work could look at my Apache configuration and tell me what I am= doing wrong. I also checked the Apache log and I get this message: [warn] Init: Name-based SSL virtual hosts only work for clients with TLS se= rver name indication support (RFC 4366) =20 which from what I read means that Apache is properly setup for Named-based = Virtual domains with SSL. The software is: openSUSE 11.4 Apache 2.2.17 openSSL 1.0.0c FireFox 12.0 Linux & Windows, IE7 Vista I've checked all of the above software versions and as far as I can see it = is all new enough to work with SNI. Any help really appreciated! Reg Relevant Apache configuration: Listen 443 NameVirtualHost *:443 SSLProtocol all -SSLv2 SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000) SSLSessionCacheTimeout 600 SSLMutex default SSLRandomSeed startup builtin SSLRandomSeed connect builtin Options none AllowOverride all Order allow,deny Allow from all # Old stuff we'll probably never use SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # # www.domain1.com # # Live: live/www.domain1.com DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/" ServerName domain1.com:443 ServerAlias www.domain1.com:443 ServerAdmin webmaster@domain1.com Options none AllowOverride all Order allow,deny Allow from all SSLEngine on SSLCertificateFile /etc/ssl/private/crt/domain1.com.crt SSLCertificateKeyFile /etc/ssl/private/key/domain1.com.key SSLCertificateChainFile /etc/ssl/private/bundle/domain1.com.crt.bundle CustomLog '/var/log/apache2/d/domain1.com_reqst' ssl_combined ErrorLog '/var/log/apache2/d/domain1.com_error' RewriteLog '/var/log/apache2/d/domain1.com_rewri' # # www.domain2.com # # Live: live/www.domain2.com DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/" ServerName domain2.com:443 ServerAlias www.domain2.com:443 ServerAdmin webmaster@domain2.com Options none AllowOverride All Order allow,deny Allow from all SSLEngine on SSLCertificateFile /etc/ssl/private/crt/domain2.com.crt SSLCertificateKeyFile /etc/ssl/private/key/domain2.com.key SSLCertificateChainFile /etc/ssl/private/bundle/domain2.com.crt.bundle CustomLog '/var/log/apache2/d/domain2.com_acces' ssl_combined ErrorLog '/var/log/apache2/d/domain2.com_error' RewriteLog '/var/log/apache2/d/domain2.com_rewri' ------------A4171EA2052CF69 Content-Type: text/html; charset=iso-8859-15 Content-Transfer-Encoding: quoted-printable Problem with Multiple VirtualHosts with SSL using Named = Virtual Hosts (SNI) I've setup Apache = to handle named Virtual Hosts with SSL however there is something I am miss= ing because it doesn't work. This is my first time trying multiple SSL host= ing however I have had one SSL domain working for years on this server.

The certificates check out because if I comment out the section for domain1= .com then domain2.com works perfectly in the browser, i.e.: no warning mess= age and straight into https://www.domain2.com seamlessly. Of course domain1= .com gives the "untrusted certificate" warning since it's the wrong certifi= cate the browser is getting.

When I uncomment the lines for domain1.com then domain1.com will work seaml= essly as domain2.com did but now domain2.com will give the "untrusted certi= ficate" warning in the browser so Apache is defaulting the first certificat= e it finds to serve up the browser.

I can't find anymore to do to make this work so I'm hoping  someone wh= o has made this work could look at my Apache configuration and tell me what= I am doing wrong.

I also checked the Apache log and I get this message:

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS se= rver name indication support (RFC 4366)
                     = ;             
which from what I read means that Apache is properly setup for Named-based = Virtual domains with SSL.

The software is:

    openSUSE 11.4
    Apache 2.2.17
    openSSL 1.0.0c
    FireFox 12.0 Linux & Windows, IE7 Vista

I've checked all of the above software versions and as far as I can see it = is all new enough to work with SNI.

Any help really appreciated!
Reg

Relevant Apache configuration:

  Listen 443
  NameVirtualHost *:443

  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl
  SSLPassPhraseDialog  builtin
  SSLSessionCache         shmcb:/var/lib/apache2/s= sl_scache(512000)
  SSLSessionCacheTimeout  600
  SSLMutex  default
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin

  <Directory "/srv/www/vhosts/live/m/multi-001/www">
     Options none
     AllowOverride all
     Order allow,deny
     Allow from all
  </Directory>

  # Old stuff we'll probably never use
  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     SSLOptions +StdEnvVars
  </Files>
  <Directory "/srv/www/cgi-bin">
     SSLOptions +StdEnvVars
  </Directory>
  SetEnvIf User-Agent ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0
  #
  # www.domain1.com
  #
  # Live: live/www.domain1.com
  <VirtualHost *:443>
      DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/"
      ServerName domain1.com:443
      ServerAlias www.domain1.com:443
      ServerAdmin webmaster@domain1.com
      <Directory "/srv/www/vhosts/live/m/multi-7/www">=
        Options none
        AllowOverride all
        Order allow,deny
        Allow from all
      </Directory>
      SSLEngine on
      SSLCertificateFile /etc/ssl/private/crt/domain1.com.cr= t
      SSLCertificateKeyFile /etc/ssl/private/key/domain1.com= .key
      SSLCertificateChainFile /etc/ssl/private/bundle/domain= 1.com.crt.bundle
      CustomLog   '/var/log/apache2/d/domain1.com_reqst= '   ssl_combined
      ErrorLog    '/var/log/apache2/d/domain1.com_= error'
      RewriteLog  '/var/log/apache2/d/domain1.com_rewri= '
  </VirtualHost>
  #
  # www.domain2.com
  #
  # Live: live/www.domain2.com
  <VirtualHost *:443>
    DocumentRoot "/srv/www/vhosts/live/m/multi-7/www/"
    ServerName domain2.com:443
    ServerAlias www.domain2.com:443
    ServerAdmin webmaster@domain2.com
    <Directory "/srv/www/vhosts/live/m/multi-7/www">
      Options none
      AllowOverride All
      Order allow,deny
      Allow from all
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/ssl/private/crt/domain2.com.crt
    SSLCertificateKeyFile /etc/ssl/private/key/domain2.com.key
    SSLCertificateChainFile /etc/ssl/private/bundle/domain2.com.c= rt.bundle
    CustomLog  '/var/log/apache2/d/domain2.com_acces' ssl_co= mbined
    ErrorLog   '/var/log/apache2/d/domain2.com_error'
    RewriteLog '/var/log/apache2/d/domain2.com_rewri'
  </VirtualHost>
------------A4171EA2052CF69--