Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5362110C74 for ; Thu, 24 Oct 2013 10:53:24 +0000 (UTC) Received: (qmail 97190 invoked by uid 500); 24 Oct 2013 10:53:16 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 96889 invoked by uid 500); 24 Oct 2013 10:53:15 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 96873 invoked by uid 99); 24 Oct 2013 10:53:14 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Oct 2013 10:53:14 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of vavra@602.cz designates 74.125.83.46 as permitted sender) Received: from [74.125.83.46] (HELO mail-ee0-f46.google.com) (74.125.83.46) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Oct 2013 10:53:08 +0000 Received: by mail-ee0-f46.google.com with SMTP id c1so1029178eek.33 for ; Thu, 24 Oct 2013 03:52:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=CEGinXXNR6SIdbRmcVb8sY9tLlPVmBE5vxaZr6vZiDc=; b=iAdJ4haKvfXQn2XkBuZalrJgMgKSfnN0nohMWOTQptCPVR0u99N08O8rXlNFExk10W KA/+AZ3EzbdMTkNu/KO20e42Qr5hNZyoPP/im5KfkCb5yFUT8z2Wd8JkTEvJ8td719Wb TrP/GYGTIKB2Ojwi8oymVtqBrExbBW4kgvUcsiSApu9dOmq0E1wL1xaFB84sKYGTsNj9 1cR5IFG614tXX+Mb8z2h1Iud0insseITMe64Q/zwKaBNYVTs/RlVYM2PSwmeeE1o1m8O Nyjc7gKtlAvNR4RjAbSmm75uyuh+EH877hsiPxCbRRsRtLYEvOPnacCiNGjabdQ81JYk vx1g== X-Gm-Message-State: ALoCoQk1mOVpMd7vnAzOgIehNfAO4lvRIC+Rvpt1pNV3Twkq8mwSGWNumduSUj/jrvciyiAfM4ll X-Received: by 10.14.109.134 with SMTP id s6mr2045060eeg.84.1382611966609; Thu, 24 Oct 2013 03:52:46 -0700 (PDT) Received: from [192.168.1.211] (94.112.242.230.static.b2b.upcbusiness.cz. [94.112.242.230]) by mx.google.com with ESMTPSA id f49sm2841680eec.7.2013.10.24.03.52.45 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 24 Oct 2013 03:52:45 -0700 (PDT) Message-ID: <5268FBEE.2080102@602.cz> Date: Thu, 24 Oct 2013 12:52:30 +0200 From: =?ISO-8859-2?Q?Jan_V=E1vra?= User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: users@httpd.apache.org References: <5266E50F.3010406@602.cz> <52677744.2020703@602.cz> In-Reply-To: Content-Type: multipart/alternative; boundary="------------070402040500030304010409" X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] wrong certs --------------070402040500030304010409 Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit This is not a bug but a SNI feature (http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI). Check if you have not defined NameVirtualHost *:424 NameVirtualHost *:444 Jan. > Try your same config but use A for the ServerName in both VirtualHost > sections. Based on what I've seen, you should then get 1.crt from > either port, and never get 2.crt, which seems like a bug. > > > On Wed, Oct 23, 2013 at 3:14 AM, Jan V�vra > wrote: > > Hello, > it is obvious you are using port based virtual host. My question > was for assuring you have configured basics well. > So I suppose you have: > > > Listen *:424 https > > ServerName A > SSLCertificateFile 1.crt > *SSLCertificateKeyFile 1.key* > > #and probably also > SSLCertificateChainFile chain.crt > > > > > I have made a test and it works fine. > I do not use wildcards, I directly specify the IP address. > > Listen 424 https > Listen 444 https > > > ServerName A > SSLCertificateFile 1.crt > SSLCertificateKeyFile 1.key > > > > > ServerName B > SSLCertificateFile 2.crt > SSLCertificateKeyFile 2.key > > > and in my hosts file there are recors > 192.168.1.211 A > 192.168.1.211 B > > Try to call httpd -S. In my case it shows > VirtualHost configuration: > .... > 192.168.1.211:424 A (1.conf) > 192.168.1.211:444 B (2.conf) > > For A and B I use some real names eg. www.mycompany1.cz > , www.mycompany2.cz > . > > Do you even know about name based virtual https host? > http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI > Most clients support this and I use it in production. > > Jan > >> The certificates are specified in port based virtual hosts, there >> is no NameVirtualHost here. So I would expect the specified >> certificate to be served on the corresponding port no matter what >> host header was passed. >> >> >> On Tue, Oct 22, 2013 at 4:50 PM, Jan V�vra > > wrote: >> >> Hello. >> For sure have you not forgotten specifying option >> SSLCertificateKeyFile ? >> What is the url you are using? >> If you use https://localost:424 instead of https://a:424, >> you can get weird results. >> >> I can also try it, if your problem persists. My last several >> years is full of creating and using certificates ;-) >> >> Jan. >> >> >> I two virtual hosts on different ports specify different >> certificate files, but use the same ServerName, both >> ports use the same certificate. Is this expected behavior? >> >> >> With this config: >> >> Listen *:424 https >> >> ServerName A >> SSLCertificateFile 1.crt >> >> >> Listen *:444 https >> >> ServerName A >> SSLCertificateFile 2.crt >> >> >> connecting to either 424 or 444, I get cert 1. >> >> With this config: >> >> Listen *:424 https >> >> ServerName A >> SSLCertificateFile 1.crt >> >> >> Listen *:444 https >> >> ServerName B >> SSLCertificateFile 2.crt >> >> >> connecting to 424 gets me cert 1, and connecting to 444 >> gets me cert 2. >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >> >> For additional commands, e-mail: users-help@httpd.apache.org >> >> >> > > --------------070402040500030304010409 Content-Type: text/html; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit
This is not a bug but a SNI feature (http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI).
Check if you have not defined
� NameVirtualHost *:424
� NameVirtualHost *:444
Jan.



Try your same config but use A for the ServerName in both VirtualHost sections. �Based on what I've seen, you should then get 1.crt from either port, and never get 2.crt, which seems like a bug.


On Wed, Oct 23, 2013 at 3:14 AM, Jan V�vra <vavra@602.cz> wrote:
Hello,
�it is obvious you are using port based virtual host. My question was for assuring you have configured basics well.
�So I suppose you have:


Listen *:424 https
<VirtualHost *:424>
ServerName A
SSLCertificateFile 1.crt
SSLCertificateKeyFile 1.key

#and probably also
SSLCertificateChainFile chain.crt

</VirtualHost>


I have made a test and it works fine.
I do not use wildcards, I directly specify the IP address.

Listen 424 https
Listen 444 https
<VirtualHost 192.168.1.211:424>
�ServerName A
�SSLCertificateFile 1.crt
�SSLCertificateKeyFile 1.key
</VirtualHost>

<VirtualHost 192.168.1.211:444>
�ServerName B
�SSLCertificateFile 2.crt
�SSLCertificateKeyFile 2.key
</VirtualHost>

and in my hosts file there are recors
192.168.1.211 A
192.168.1.211 B

Try to call httpd -S. In my case it shows
VirtualHost configuration:
....
192.168.1.211:424����� A (1.conf)
192.168.1.211:444����� B (2.conf)

For A and B I use some real names eg. www.mycompany1.cz, www.mycompany2.cz.

Do you even know about name based virtual https host?
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Most clients support this and I use it in production.

Jan

The certificates are specified in port based virtual hosts, there is no NameVirtualHost here. �So I would expect the specified certificate to be served on the corresponding port no matter what host header was passed.


On Tue, Oct 22, 2013 at 4:50 PM, Jan V�vra <vavra@602.cz> wrote:
Hello.
�For sure have you not forgotten specifying option SSLCertificateKeyFile �?
�What is the url you are using?
�If you use https://localost:424 instead of https://a:424, you can get weird results.

�I can also try it, if your problem persists. My last several years is full of creating and using certificates ;-)

�Jan.


I two virtual hosts on different ports specify different certificate files, but use the same ServerName, both ports use the same certificate. �Is this expected behavior?


With this config:

Listen *:424 https
<VirtualHost *:424>
ServerName A
SSLCertificateFile 1.crt
</VirtualHost>

Listen *:444 https
<VirtualHost *:444>
ServerName A
SSLCertificateFile 2.crt
</VirtualHost>

connecting to either 424 or 444, I get cert 1.

With this config:

Listen *:424 https
<VirtualHost *:424>
ServerName A
SSLCertificateFile 1.crt
</VirtualHost>

Listen *:444 https
<VirtualHost *:444>
ServerName B
SSLCertificateFile 2.crt
</VirtualHost>

connecting to 424 gets me cert 1, and connecting to 444 gets me cert 2.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org





--------------070402040500030304010409--