On Mon, 23 Oct 2000, Panon, Paul-Andre wrote:
> Hello,
>
> I am trying to use multiple name-based virtual hosts with mod_ssl. The
> system is running Mandrake 7.1 with mod_ssl-2.6.4. The virtual hosts
> definition work fine with one gotcha, the first certificate/private key pair
> is being used for both virtual hosts.
. . .
> If I try to establish a secure connection to either site1 or site2, then I
> get appropriate the pages and access for that site based on the document
> root and the location/directory specific directives. However when I connect
> to site2, I get a browser error stemming from a name mismatch between the
> site name and the site certificate. When I check the detailed information
> for the server certificate, it's showing me the information for the
> certificate of site1, even though I retrieve the pages for site 2. Can't
> mod_ssl handle separate certificates for each vhost? If not, then why are
> the SSSCertificate(Key)File directives used in <VirtualHost> instead of
> being global?
Both mod_ssl and its predecessor ssleay can support separate certificates
for each virtual host. The catch is that each virtual host must have a
unique IP address as the entire TCP packet payload is encrypted.
Were you to use tcpdump or a packet sniffer to look at the network traffic,
you would be able to view the IP and TCP headers along with the HTTP header
that is embedded in the TCP packet payload for each virtual host for all
traffic to or from port 80.
Once the SSL negotiation is completed, you will discover that you can still
view the IP and TCP headers but can no longer view the HTTP header that is
embedded in the TCP packet payload as the entire payload is encrypted. The
only clue that you have to decypher the TCP packet payload is the source and
destination IP addresses and port carried in the packet's IP and TCP
headers.
Even on a small site, it would be time consuming to cycle through all of
your keys to decipher the message digest to discover if it contains the key
needed to decipher the remainder of the payload correctly. How do you
define correct? Pass Apache the packet for each key pair that you used to
find which one produced reasonable results?
The only way to remove ambiguity is to use a unique IP address for each
virtual host that is using SSL to protect the data that is being
transmitted.
This is a gross oversimplification of the process but should give you an
idea why each virtual host that uses SSL to protect data needs a unique IP
address and why you see the error that you report.
Merton Campbell Crockett
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
