From owner-freebsd-isp Wed Dec 6 18:24:15 2000 From owner-freebsd-isp@FreeBSD.ORG Wed Dec 6 18:24:10 2000 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id BEE8637B400 for ; Wed, 6 Dec 2000 18:24:09 -0800 (PST) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id UAA28234; Wed, 6 Dec 2000 20:24:02 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 6 Dec 2000 20:24:02 -0600 (CST) From: Ryan Thompson To: Jim King Cc: freebsd-isp@freebsd.org Subject: Re: Annoying problem with apache-modssl certs In-Reply-To: <017001c05ff3$75efb7f0$04e48486@marble> Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jim King wrote to Ryan Thompson: > This is a limitation of SSL. Named virtual hosts and SSL don't mix. You > need to give SSL hosts unique IP's. Ha! Yes, believe it or not, I knew this... I suppose the reason I've never encountered this problem is because, until now, different SSL hosts have always been on different IPs :-) Thanks, Jim, and everyone that has already replied. - Ryan > > ----- Original Message ----- > From: "Ryan Thompson" > To: > Sent: Wednesday, December 06, 2000 8:07 PM > Subject: Annoying problem with apache-modssl certs > > > > > > Hey all... Hope someone has seen this before... > > > > I've got an apache-modssl server (apache 1.3.9, mod-ssl 2.4.9, openssl > > 0.9.4) running under FreeBSB 3.4. > > > > A default entry is configured, using "server.crt" and "server.key", on a > > default server name. > > > > www.virtual1.tld > > I successfully added one virtual host, "virtual1.crt" / "virtual2.key". > > (Yes, I use a better naming convention than this :-) Actually, that site > > has been up for a while. > > > > www.virtual2.tld > > Now, on the same server, I desired to add another virtual host. So, after > > generating the key, csr, and obtaining signed .crt (Thawte), as I have > > always done, and adding another virtual host entry on the same IP/port 443 > > in httpd.conf, and restarting the secure server, the following happens: > > > > When I access https://www.virtual2.tld/ , I see virtual1's certificate > > (i.e., the browser complains that the certificate is signed and valid, but > > the common name doesn't match the site name). In fact, the certificate is > > the one for www.virtual1.tld. > > > > https://www.virtual1.tld/ and the default server work fine. > > > > If I accept the certificate for virtual2.tld, I actually see the correct > > page for https://www.virtual2.tld/. (I.e., a static .html page containing > > "Welcome to www.virtual2.tld" :-) > > > > Thinking that a bit strange, I swapped the order of virtual1 and virtual2 > > sections. (So, virtual2 was > > listed first). The same thing happened, only differently :-) > > > > Accessing http://www.virtual2.tld/ (listed first in httpd.conf) correctly > > used virtual2.tld's certificate. > > > > Accessing http://www.virtual1.tld/ (listed last in httpd.conf) incorrectly > > used virtual1.tld's certificate. > > > > > > So, to sum this up, it appears as though: > > o My virtual host setup is correct insofar as apache will > > return the correct index page depending on the server > > name requested by the client. > > o Apache refuses to use anything but the FIRST certificate > > within the FIRST directive. > > > > Strange...? > > > > -- > > Ryan Thompson > > Network Administrator, Accounts > > > > SaskNow Technologies - http://www.sasknow.com > > #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 > > > > Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon > > Toll-Free: 877-727-5669 (877-SASKNOW) North America > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > -- Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message