Hello,
Below is my httpd.conf. I tried to have 2 secure sites
however i can only access the second site thru port 8000.
Can't i make the second site listen to the standard https
port too? I tried setting the 2nd site but i get connection
refused by server. Please help.
Mignonette Viado
.......
### Section 2: 'Main' server configuration
Port 80
<IfDefine SSL>
Listen 80
Listen 443
Listen IPSITE2:8000
</IfDefine>
User nobody
Group nobody
ServerName IPSITE0
.....
### Section 3: Virtual Hosts
<IfDefine SSL>
<VirtualHost IPSITE1>
DocumentRoot "/home/httpd/site1"
ServerName www.site1.com
.....
SSLCertificateFile /etc/ssl/certs/SITE1.crt
SSLCertificateKeyFile /etc/ssl/private/SITE1.key
SSLCACertificatePath /etc/ssl/certs
.......
</VirtualHost>
<VirtualHost IPSITE2:8000>
DocumentRoot "/home/httpd/site2"
ServerName www.site2.com
......
SSLCertificateFile /etc/ssl/certs/site2.crt
SSLCertificateKeyFile /etc/ssl/private/site2.key
SSLCACertificatePath /etc/ssl/certs
.........
</VirtualHost>
</IfDefine>
On Tue, 24 Oct 2000 06:38:49 -0700 (PDT)
Merton Campbell Crockett <[EMAIL PROTECTED]> wrote:
>
>
> On Mon, 23 Oct 2000, Panon, Paul-Andre wrote:
>
> > Hello,
> >
> > I am trying to use multiple name-based virtual hosts
> with mod_ssl. The
> > system is running Mandrake 7.1 with mod_ssl-2.6.4. The
> virtual hosts
> > definition work fine with one gotcha, the first
> certificate/private key pair
> > is being used for both virtual hosts.
>
> . . .
>
> > If I try to establish a secure connection to either
> site1 or site2, then I
> > get appropriate the pages and access for that site
> based on the document
> > root and the location/directory specific directives.
> However when I connect
> > to site2, I get a browser error stemming from a name
> mismatch between the
> > site name and the site certificate. When I check the
> detailed information
> > for the server certificate, it's showing me the
> information for the
> > certificate of site1, even though I retrieve the pages
> for site 2. Can't
> > mod_ssl handle separate certificates for each vhost? If
> not, then why are
> > the SSSCertificate(Key)File directives used in
> <VirtualHost> instead of
> > being global?
>
>
> Both mod_ssl and its predecessor ssleay can support
> separate certificates
> for each virtual host. The catch is that each virtual
> host must have a
> unique IP address as the entire TCP packet payload is
> encrypted.
>
> Were you to use tcpdump or a packet sniffer to look at
> the network traffic,
> you would be able to view the IP and TCP headers along
> with the HTTP header
> that is embedded in the TCP packet payload for each
> virtual host for all
> traffic to or from port 80.
>
> Once the SSL negotiation is completed, you will discover
> that you can still
> view the IP and TCP headers but can no longer view the
> HTTP header that is
> embedded in the TCP packet payload as the entire payload
> is encrypted. The
> only clue that you have to decypher the TCP packet
> payload is the source and
> destination IP addresses and port carried in the packet's
> IP and TCP
> headers.
>
> Even on a small site, it would be time consuming to cycle
> through all of
> your keys to decipher the message digest to discover if
> it contains the key
> needed to decipher the remainder of the payload
> correctly. How do you
> define correct? Pass Apache the packet for each key pair
> that you used to
> find which one produced reasonable results?
>
> The only way to remove ambiguity is to use a unique IP
> address for each
> virtual host that is using SSL to protect the data that
> is being
> transmitted.
>
> This is a gross oversimplification of the process but
> should give you an
> idea why each virtual host that uses SSL to protect data
> needs a unique IP
> address and why you see the error that you report.
>
> Merton Campbell Crockett
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
> [EMAIL PROTECTED]
Mignonette Viado
BSS/IMMS CDO
Philweb.Com, Inc.
Tel: +6388-233-3683
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
