From owner-freebsd-isp Wed Dec 6 18: 7:37 2000 From owner-freebsd-isp@FreeBSD.ORG Wed Dec 6 18:07:35 2000 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id B324537B400 for ; Wed, 6 Dec 2000 18:07:33 -0800 (PST) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id UAA27156 for ; Wed, 6 Dec 2000 20:07:25 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 6 Dec 2000 20:07:25 -0600 (CST) From: Ryan Thompson To: freebsd-isp@freebsd.org Subject: Annoying problem with apache-modssl certs Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey all... Hope someone has seen this before... I've got an apache-modssl server (apache 1.3.9, mod-ssl 2.4.9, openssl 0.9.4) running under FreeBSB 3.4. A default entry is configured, using "server.crt" and "server.key", on a default server name. www.virtual1.tld I successfully added one virtual host, "virtual1.crt" / "virtual2.key". (Yes, I use a better naming convention than this :-) Actually, that site has been up for a while. www.virtual2.tld Now, on the same server, I desired to add another virtual host. So, after generating the key, csr, and obtaining signed .crt (Thawte), as I have always done, and adding another virtual host entry on the same IP/port 443 in httpd.conf, and restarting the secure server, the following happens: When I access https://www.virtual2.tld/ , I see virtual1's certificate (i.e., the browser complains that the certificate is signed and valid, but the common name doesn't match the site name). In fact, the certificate is the one for www.virtual1.tld. https://www.virtual1.tld/ and the default server work fine. If I accept the certificate for virtual2.tld, I actually see the correct page for https://www.virtual2.tld/. (I.e., a static .html page containing "Welcome to www.virtual2.tld" :-) Thinking that a bit strange, I swapped the order of virtual1 and virtual2 sections. (So, virtual2 was listed first). The same thing happened, only differently :-) Accessing http://www.virtual2.tld/ (listed first in httpd.conf) correctly used virtual2.tld's certificate. Accessing http://www.virtual1.tld/ (listed last in httpd.conf) incorrectly used virtual1.tld's certificate. So, to sum this up, it appears as though: o My virtual host setup is correct insofar as apache will return the correct index page depending on the server name requested by the client. o Apache refuses to use anything but the FIRST certificate within the FIRST directive. Strange...? -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message