httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <yeh...@ymkatz.net>
Subject Re: [users@httpd] Virtual Hosts and SSL Puzzler
Date Tue, 22 Oct 2013 13:22:09 GMT
On Tue, Oct 22, 2013 at 9:10 AM, Chris Gordon <CGordon@aires.com> wrote:

>  SSL wraps http and you need a cert to decrypt the data sent via SSL.  If
> you have 3 virtual hosts and you are using Name Based Virtual Hosting how
> does the Apache web server know which cert to use to decrypt and read the
> header so it can properly route the data.  The short answer per my
> understanding is that Apache has no clue and uses the default vhost's
> cert (the first one in the confi file) to read the SSL.  If these were all
> the same domain such as tuna.foo.com, seabass.foo.com and marlin.foo.comyou could get
away with using the same *.
> foo.com wildcard cert.   Here is a good doc with these work arounds:
> https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf
>
> I'm guessing your problem is somewhere in this domain.  I believe that
> Name Based Virtual Hosting is not the answer for you.  Try IP Based:
> http://httpd.apache.org/docs/2.2/vhosts/ip-based.html
>

If that were the case, the browser would show a certificate error on all
but one host, not a partial error on just one of them.
I would go with Pete's answer first (that there might be images or
javascript served from http).


> or use a wildcard cert...  Here is a warning about your config and a
> better explanation I presume:
> http://wiki.apache.org/httpd/NameBasedSSLVHosts
>
> I just ran into this.  Silly me for not realizing that a Web Server that
> routes bases on headers would need to read the encrypted header to route
> it.  Chicken-Egg problem.
>

There is a solution for this which Apache supports: Server Name Indication
(SNI)
This lets the browser send the domain name requested before Apache chooses
a certificate to help it choose the correct one.

See http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

- Y

Mime
View raw message