httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Ni <jason.ni...@gmail.com>
Subject Re: [users@httpd] A corner case of Apache SSL SNI usage
Date Thu, 20 Feb 2014 01:57:34 GMT
Thanks Eric. I guess multiple Apache instances can handle this case.


2014-02-19 19:48 GMT+08:00 Eric Covener <covener@gmail.com>:

> On Wed, Feb 19, 2014 at 3:40 AM, Jason Ni <jason.ni.py@gmail.com> wrote:
> > Hello All,
> >
> > I want to configure Apache for this use case:
> >
> > We have more than one virtual hosts with different hostnames. I use name
> > based virtual hosting configuration for these hosts.
> >
> > And I want to give each host 2 ports for HTTPs services. One is for
> outside
> > service, the other is for internal service.
> >
> > It's possible that we use different SSL keys and certs for internal and
> > outside HTTPs configurations. And clients do check validation of SSL
> > certificates. So I did a simple test of this configuration.
> >
> > However, in my test case, I find Apache always gives client the
> certificate
> > from the first VirtualHost configuration.
> >
> > My test environment is RHEL6.4, Apache2
> >
> > My test configuration is like this:
> >
> > NameVirtualHost and Listen statements are inserted in the ssl.conf file.
> > --------------------------------------------------------
> > NameVirtualHost 192.168.33.10:443
> > NameVirtualHost 192.168.33.10:8443
> > Listen 443
> > Listen 8443
> > --------------------------------------------------------
> >
> > And I created a new file ssldemo.conf in conf.d
> > --------------------------------------------------------------------
> > <VirtualHost 192.168.33.10:8443>
> >     ServerName site1.test.com
> >     SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> > <VirtualHost 192.168.33.10:443>
> >     ServerName site1.test.com
> >     SSLCertificateFile /etc/httpd/ssl/sslcert.pem
>
> >
> > When I connect Apache server use the url https://site1.test.com, I get
> the
> > cert of /etc/pki/tls/certs/localhost.crt.
> > Seems Apache server doesn't support this kind of usage, does it?
>
> No, Apache selects the best interface:port match first, then selects
> name-based vhosts and SNI from things that match the set of selected
> interface:port.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message