Begin forwarded message: From: "Yngve Nysaeter Pettersen" <yn...@opera.com> Date: May 25, 2010 5:08:26 AM PDT To: "Roy T. Fielding" <field...@gbiv.com> Subject: Apache, mod_ssl, OpenSSL 1.0.0 and the TLS ServerName Indication extension
Hello Roy, You are most likely not the right person to send this to, so please feel free to forward this email to the right person. OpenSSL 1.0.0 enabled support for the TLS ServerName Indication (SNI) extension, and it seems like at least some versions of mod_ssl has been updated to use that version and to enable the SNI handling. Unfortunately is seems like it is a little too easy to incorrectly configure the server, possibly due to a missing/incorrect ServerName configuration parameter, so the server sends a TLS Unrecognized_Name (112) Warning, even when the correct certificate is installed for the server. A current example is https://www.verisign.com/ , unless they have fixed the problem. As Opera currently upgrades this Warning to a Fatal error, while other browsers apparently ignores it when they send the SNI, so this is causing problems for our users. My guess is that the virtual host, servername and certificate files for servers might not be as synchronized and cross-checked as they perhaps should be. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yn...@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
