httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Gordon" <CGor...@aires.com>
Subject Re: [users@httpd] Virtual Hosts and SSL Puzzler
Date Tue, 22 Oct 2013 14:08:16 GMT
I think the previous poster, I shift deleted the mail but I think it is a prominent poster
here 'Pete Houston' who had a very good point.  It could just be that you have mixed content.
 You can use a development mode of a browser to find any links to http content, that will
certainly break the prety green lock.  Maybe just view source and search for a link to something
served vie http.
 
To answer your questions:
"Doesn't the SSLCertificate parameter for each VH say which cert to use? 


Yes, but how does Apache know which VH to get the cert from until it has used a cert to decrypt
the SSL?  It just used the first cert in this case.  IP Bases will get you around this.  I
said chicken - egg because Apache needs to read a header to know what VH to use but it can't
read the header until it picks a vhost and uses the cert to decrypt the message.

 
Why does it work for 2 of the VH's but not the 3rd?"


I'm not sure, but like I mention above, it may be worth looking for non SSL content before
going further down this rabbit hole.  Order of Vhouts could be one answer, but your public
is 3rd.  If you used to have a wiild card cert as the first vhost and now its not a wald card
host that could explain issues.  Maybe the CN values in the first host covered the first 2
domains and not the third?  WAGing here, so I'll stop.  I'm not an expert, just offering help
because I just setup a similar environment.

I hope I'm not taking you in the wrong direction with this.  It is worth understanding though.
 I'm very sure I have a good deal to learn as well.

>>> Dennis Putnam <dap1@bellsouth.net> 10/22/2013 9:20 AM >>>
On 10/22/2013 9:10 AM, Chris Gordon wrote:


Sorry, brevity is not my strong point.  
 
Because I do not know what your certs look like as far as what domain(s) are considered CNs
I'm going to guess it has something to do with the following...
 
SSL wraps http and you need a cert to decrypt the data sent via SSL.  If you have 3 virtual
hosts and you are using Name Based Virtual Hosting how does the Apache web server know which
cert to use to decrypt and read the header so it can properly route the data.  The short answer
per my understanding is that Apache has no clue and uses the default vhost's cert (the first
one in the confi file) to read the SSL.  If these were all the same domain such as tuna.foo.com,
seabass.foo.com and marlin.foo.com you could get away with using the same *.foo.com wildcard
cert.   Here is a good doc with these work arounds: https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf
 
I'm guessing your problem is somewhere in this domain.  I believe that Name Based Virtual
Hosting is not the answer for you.  Try IP Based: http://httpd.apache.org/docs/2.2/vhosts/ip-based.html
 
or use a wildcard cert...  Here is a warning about your config and a better explanation I
presume: 
http://wiki.apache.org/httpd/NameBasedSSLVHosts
 
I just ran into this.  Silly me for not realizing that a Web Server that routes bases on headers
would need to read the encrypted header to route it.  Chicken-Egg problem.
 
Chris --V


>>> Dennis Putnam <dap1@bellsouth.net> ( mailto:dap1@bellsouth.net ) 10/22/2013
8:26 AM >>>
I have 3 virtual hosts that for all I can see are configured identically
other the the obviously needed differences. The same is true of the 3
crt files.

<VirtualHost *:443>
        ServerName public.mydomain.com
        DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile /etc/httpd/SSL/public.crt
        SSLCertificateKeyFile /etc/postfix/SSL/server.key
</VirtualHost>
<VirtualHost *:443>
        ServerName distrib.mydomain.com
        DocumentRoot /var/www/html/distrib
        SSLEngine on
        SSLCertificateFile /etc/httpd/SSL/distrib.crt
        SSLCertificateKeyFile /etc/postfix/SSL/server.key
</VirtualHost>
<VirtualHost *:443>
        ServerName mail.mydomain.com
        DocumentRoot  /usr/local/squirrelmail/www
        SSLEngine on
        SSLCertificateFile /etc/httpd/SSL/mail.crt
        SSLCertificateKeyFile /etc/postfix/SSL/server.key
</VirtualHost>

The problem is that 2 of them work perfectly and the lock shows up in
the browser. With the third (public), I get a gray globe indicating
partial encryption which does not prevent eavesdropping. I have no clue
how to debug this or even where to look. Can someone point me in the
right direction? Thanks.




The information contained in this e-mail and any accompanying documents may contain information
that is confidential or otherwise protected from disclosure. If you are not the intended recipient
of this message, or if this message has been addressed to you in error, please immediately
alert the sender by reply e-mail and then delete this message, including any attachments.
Any dissemination, distribution or other use of the contents of this message by anyone other
than the intended recipient is strictly prohibited. 
Thanks for the reply. Now I'm confused. Doesn't the SSLCertificate parameter for each VH say
which cert to use? Why does it work for 2 of the VH's but not the 3rd?

The information contained in this e-mail and any accompanying documents may contain information
that is confidential or otherwise protected from disclosure. If you are not the intended recipient
of this message, or if this message has been addressed to you in error, please immediately
alert the sender by reply e-mail and then delete this message, including any attachments.
Any dissemination, distribution or other use of the contents of this message by anyone other
than the intended recipient is strictly prohibited.

Mime
View raw message