Re: CN not server name

Jason Thaxter Wed, 16 Feb 2000 14:42:09 -0800

This behavior sounds like you have only one IP address shared among your
virtual hosts, and I can't tell otherwise from your description.

The FAQ explains why you need separate IPs; basically the certificate
negotiation takes place BEFORE the HTTP headers pass the Host: line for
discrimination among virtual hosts that share an IP.  If this were not the
case, the browser headers would be passed in cleartext.

So in your case, the certificate is already cached by your browser, so you
get the connection, and afterwards, mod_ssl learns that the certificate
does not match the VirtualHost being suggested by the HTTP headers, then
displays the correct host to match the certificate.

On Wed, 16 Feb 2000, Randy Lee wrote:

> Didn't get any takers on this so far, so I'll pose the question again
> and hope to get one this time:
> 
> 
> -------- Original Message --------
> Subject: CN not server name
> Date: Fri, 11 Feb 2000 08:09:10 -0600
> To: [EMAIL PROTECTED]
> 
> I've got a problem that I'm not sure is mod_ssl or apache going on here:
> 
> I have a server named x.dom1.com that is hosting several vitual domains.
> 
> If I have 
> 
> <VirtualHost IP:443>
> ServerName x.dom2.com
> ...
> </Virtual host>
> 
> and I have x.dom2.com in the Thawte cert (test fortunately), life is
> cool outside of Netscape not knowing about test certs.
> 
> If I add another virtual host (before this in the list) and hit
> https://x.dom2.com
> 
> <VirtualHost IP:443>
> ServerName x.dom1.com
> ...
> </Virtual host>
> 
> I get a log error in the x.dom1.com error log that sez
> 
> [Fri Feb 11 07:54:41 2000] [error] mod_ssl: SSL handshake failed
> xxx.xxx.xxx, server x.dom1.com:443) (OpenSSL library error follows)
> [Fri Feb 11 07:54:41 2000] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN
> in certificate not server name!?]
> 
> but I get all the pages in x.dom2.com
> 
> I also, then get that the cet was from x.dom1.com when I ask Netscape
> about this cert being presented.
> 
> I'm confused. Someone have an antidote?
> 
> Randy Lee
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
> 

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
Re: CN not server name

Reply via email to
