Apache sends wrong certificate

Wed, 24 May 2006 11:18:43 -0700 

Hi all,
This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. 


This worked fine on the old server. But since the move this morning 
Apache sends the certificate for the first VirtualHost to all 4 
IP-addresses. Two of these sites need an additional 
SSLCertificateChainFile, and this file is send *correctly* depending on 
the IP-address. So Apache does see 4 different VirtualHosts, but somehow 
ignores the individual SSLCertificateFiles.


Here is the relevant part of httpd.conf for these 4 hosts:

-----
    Listen xxx.xxx.198.62:443
    NameVirtualHost xxx.xxx.198.62:443

    <VirtualHost xxx.xxx.198.62:443>
        SSLEngine On
        SSLCertificateChainFile      chain1
        SSLCertificateFile           crt1
        SSLCertificateKeyFile        key1
    </VirtualHost>

    Listen xxx.xxx.198.61:443
    NameVirtualHost xxx.xxx.198.61:443

    <VirtualHost xxx.xxx.198.61:443>
        SSLEngine On
        SSLCertificateChainFile      chain2
        SSLCertificateFile           crt2
        SSLCertificateKeyFile        key2
    </VirtualHost>

    Listen xxx.xxx.198.63:443
    NameVirtualHost xxx.xxx.198.63:443

    <VirtualHost xxx.xxx.198.63:443>
        SSLEngine On
        SSLCertificateFile           crt3
        SSLCertificateKeyFile        key3
    </VirtualHost>

    Listen xxx.xxx.198.64:443
    NameVirtualHost xxx.xxx.198.64:443

    <VirtualHost xxx.xxx.198.64:443>
        SSLEngine On
        SSLCertificateFile           crt4
        SSLCertificateKeyFile        key4
    </VirtualHost>
-----


The old server is still up and running. I've upgraded Apache on that 
system to the same version (2.0.58) and copied httpd.conf to that 
machine. The above configuration somehow works correctly there.



I've been trying to debug this using "openssl s_client -state -connect" 
and I do see some relevant differences, but I've been unable to 
interpret them.



I know this report lacks a lot of possibly relevant details. But I 
didn't want to send the whole httpd.conf and all of the terminal output 
to this list.



Is there an obvious mistake in my configuration? Or have I stumbled on a 
bug in Apache 2.0.58?


Met groet,

Frank.
--
Frank van Beek

WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands

Phone:  +31 (0)20 672 2308
Fax:    +31 (0)20 672 2488

http://www.waxtrapp.com
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            [EMAIL PROTECTED]






















					Reply via email to