httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "linux.il" <linux...@gmail.com>
Subject Re: [users@httpd] TLS 1.1 and 1.2 and SNI support
Date Mon, 23 May 2016 14:44:45 GMT
On Mon, May 23, 2016 at 5:31 PM, Eric Covener <covener@gmail.com> wrote:

> On Mon, May 23, 2016 at 10:27 AM, linux.il <linux.il@gmail.com> wrote:
> > I'm using  the same "curl" and "wget" for testing. As far as I disable
> TLS
> > v1.0, I get "curl: (35) SSL connect error" and
> > "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match
> > requested host name “my-vhost-name”"
> > in wget.
> > BTW, similar issue reported here
> >
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
>
> Some context re:  your vhost configuration and certificate names would
> probably help here.
>
Sure, and thank you again.

1) httpd -S:
*:443                  is a NameVirtualHost
         default server example.co.uk
(/etc/httpd/conf.d/25-example.co.uk-https.conf:6)
         port 443 namevhost example.co.uk
(/etc/httpd/conf.d/25-example.co.uk-https.conf:6)
                 alias www.example.co.uk
         port 443 namevhost example.com
(/etc/httpd/conf.d/25-example.com-https.conf:6)
                 alias www.example.com


2)  example.co.uk vhost:
SSLEngine on
  SSLCertificateFile      "/etc/httpd/certs/uknew/example.co.uk.crt"
  SSLCertificateKeyFile   "/etc/httpd/certs/uknew/example.co.uk.key"
  SSLCertificateChainFile "/etc/httpd/certs/uknew/uk_chained"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLProtocol             All -SSLv2 -SSLv3 -TLSv1

3) example.com vhost
SSLEngine on
  SSLCertificateFile      "/etc/httpd/certs/new/EXAMPLE.com.crt"
  SSLCertificateKeyFile   "/etc/httpd/certs/new/server.key"
  SSLCertificateChainFile "/etc/httpd/certs/new/combundle.crt"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLProtocol             All -SSLv2 -SSLv3 -TLSv1
  SSLCipherSuite          HIGH:MEDIUM:!aNULL:!MD5:!RC4

Issue:
when default ssl vhost  config includes "-TLSv1" we have:

wget   https://example.com
--2016-05-23 17:40:29--  https://example.com/
Resolving example.com... x.x.x.x
Connecting to example.com|x.x.x.x|:443... connected.
ERROR: certificate common name “www.example.co.uk” doesn’t match requested
host name “example.com”.
To connect to example.com insecurely, use ‘--no-check-certificate’.

Mime
View raw message