[BugDB] Bug with ssl + name based virtual hosts? (PR#39)

[bugdb-mod-ssl]

Full_Name: Jay Soffian
Version: mod_ssl-2.0.13-1.3.3
OS: SunOS cimedia.com 5.5.1 Generic_103640-14 sun4u sparc sun4u
Submission from: redshift.cimedia.com (208.147.172.222)


There appears to be a bug when using namebased virtualhosts in
combination with mod_ssl. From what I can tell, apache is presenting
the wrong certificate when connecting to a namebased host.

In our scenario, we have a total of 4 virtual hosts + the main
server. Two of the virtual hosts are running on port 80 and
have SSL disabled. The other two virtual hosts are running on
port 443 and have SSL enabled. Regardless of which virtual host
we connect to on port 443 (or if we connect to the main server
on port 443), we get the certificate from the virtualhost that
is defined first in config file.

Our config looks like so:

Listen 10.0.0.1:80
Listen 10.0.0.1:443
ServerName mainserver.cimedia.com

SSLDisable
SSLCacheServerPath      /usr/local/libexec/apache/ssl_gcache
SSLCacheServerPort      /home/httpd/etc/new.gcache_port
SSLLogFile              logs/ssl_log
SSLVerifyClient 0
SSLVerifyDepth 0
SSLSessionCacheTimeout 300

...

NameVirtualHost 10.0.0.1:80
NameVirtualHost 10.0.0.1:443

<VirtualHost mainserver.cimedia.com
...
</VirtualHost>

<VirtualHost firstvirtualhost.cimedia.com
...
</VirtualHost>

<VirtualHost 10.0.0.1:443>
ServerName firstvirtualhost.cimedia.com
SSLEnable
SSLRequireSSL
SSLCertificateFile      /home/httpd/conf/ssl/firstvirtualhost.crt
SSLCertificateKeyFile   /home/httpd/conf/ssl/firstvirtualhost.key
...
</VirtualHost>

<VirtualHost secondvirtualhost.cimedia.com>
...
</VirtualHost>

<VirtualHost 10.0.0.1:443>
ServerName secondvirtualhost.cimedia.com>
SSLEnable
SSLRequireSSL
SSLCertificateFile      /home/httpd/conf/ssl/secondvirtualhost.crt
SSLCertificateKeyFile   /home/httpd/conf/ssl/secondvirtualhost.key
...
</VirtualHost>


Regardless of whether we connect to 

https://mainserver.cimedia.com
https://firstvirtualhost.cimedia.com
https://secondvirtualhost.cimedia.com

we are presented with the certificate specified in firstvirtualhost
which causes Nescape to present a warning dialog about a mismatch
between the common name and the site name. Apache is matching
the correct virtual otherwise though because once you click away
the warning dialog you are connected to the correct virtual host.

The hosts on port 80 all work correctly as well.

Thanks for your help.


______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]