httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Putnam <d...@bellsouth.net>
Subject Re: [users@httpd] Virtual Hosts and SSL Puzzler
Date Tue, 22 Oct 2013 13:20:46 GMT
On 10/22/2013 9:10 AM, Chris Gordon wrote:
> Sorry, brevity is not my strong point. 
>  
> Because I do not know what your certs look like as far as what
> domain(s) are considered CNs I'm going to guess it has something to do
> with the following...
>  
> SSL wraps http and you need a cert to decrypt the data sent via SSL. 
> If you have 3 virtual hosts and you are using Name Based Virtual
> Hosting how does the Apache web server know which cert to use to
> decrypt and read the header so it can properly route the data.  The
> short answer per my understanding is that Apache has no clue and uses
> the default vhost's cert (the first one in the confi file) to read the
> SSL.  If these were all the same domain such as tuna.foo.com,
> seabass.foo.com and marlin.foo.com you could get away with using the
> same *.foo.com wildcard cert.   Here is a good doc with these work
> arounds:
> https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf
>  
> I'm guessing your problem is somewhere in this domain.  I believe that
> Name Based Virtual Hosting is not the answer for you.  Try IP Based:
> http://httpd.apache.org/docs/2.2/vhosts/ip-based.html
>  
> or use a wildcard cert...  Here is a warning about your config and a
> better explanation I presume:
> http://wiki.apache.org/httpd/NameBasedSSLVHosts
>  
> I just ran into this.  Silly me for not realizing that a Web Server
> that routes bases on headers would need to read the encrypted header
> to route it.  Chicken-Egg problem.
>  
> Chris --V
>
>
> >>> Dennis Putnam <dap1@bellsouth.net> 10/22/2013 8:26 AM >>>
> I have 3 virtual hosts that for all I can see are configured identically
> other the the obviously needed differences. The same is true of the 3
> crt files.
>
> <VirtualHost *:443>
>         ServerName public.mydomain.com
>         DocumentRoot /var/www/html
>         SSLEngine on
>         SSLCertificateFile /etc/httpd/SSL/public.crt
>         SSLCertificateKeyFile /etc/postfix/SSL/server.key
> </VirtualHost>
> <VirtualHost *:443>
>         ServerName distrib.mydomain.com
>         DocumentRoot /var/www/html/distrib
>         SSLEngine on
>         SSLCertificateFile /etc/httpd/SSL/distrib.crt
>         SSLCertificateKeyFile /etc/postfix/SSL/server.key
> </VirtualHost>
> <VirtualHost *:443>
>         ServerName mail.mydomain.com
>         DocumentRoot  /usr/local/squirrelmail/www
>         SSLEngine on
>         SSLCertificateFile /etc/httpd/SSL/mail.crt
>         SSLCertificateKeyFile /etc/postfix/SSL/server.key
> </VirtualHost>
>
> The problem is that 2 of them work perfectly and the lock shows up in
> the browser. With the third (public), I get a gray globe indicating
> partial encryption which does not prevent eavesdropping. I have no clue
> how to debug this or even where to look. Can someone point me in the
> right direction? Thanks.
>
>
>
>
> The information contained in this e-mail and any accompanying
> documents may contain information that is confidential or otherwise
> protected from disclosure. If you are not the intended recipient of
> this message, or if this message has been addressed to you in error,
> please immediately alert the sender by reply e-mail and then delete
> this message, including any attachments. Any dissemination,
> distribution or other use of the contents of this message by anyone
> other than the intended recipient is strictly prohibited.
Thanks for the reply. Now I'm confused. Doesn't the SSLCertificate
parameter for each VH say which cert to use? Why does it work for 2 of
the VH's but not the 3rd?

Mime
View raw message