This makes sense to me. Mounir IDRASSI talked about the SNI which made sense but the solution was not an option. Your suggestion is a little complex to setup in my load balancer, but very doable and does not create a OS or Browser requirement.
I am very new to this list but you guys rock, I guess I was expecting the typical list responses, not intellegent ones like you guys gave. Thank you. Richard L. Buskirk Senior Software Developer Indatus -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, July 16, 2010 10:07 AM To: openssl-users@openssl.org Subject: Re: Issue with clients Operating System on certs On 16-07-2010 15:31, Richard Buskirk wrote: > I sent this situation off to the help team but maybe it is either that stupid > or that hard. > > I have installed 2 SSL Certs on my server. > I am using a naming convention for apache configuration for each cert. > > Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 > OpenSSL/0.9.8k PHP/5.2.11 > > httpd-vhost.conf > ___________________________ > NameVirtualHost *:443 > <VirtualHost *:443> > SSLEngine on > SSLCertificateFile "C:\\certs\\ServerA.crt" > SSLCertificateKeyFile "C:\\certs\\ ServerA.key" > ServerName www. ServerA.com > SSLOptions StrictRequire > SSLProtocol all -SSLv2 > ServerAdmin notice@ ServerA.com > DocumentRoot "C:\\Program Files (x86)\\Apache Software > Foundation\\Apache2.2\\www\\html\\ ServerA " > ErrorLog "C:\\Program Files (x86)\\Apache Software > Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log" > CustomLog "logs/access-ssl-www. ServerA.com" common > </VirtualHost> > > > <VirtualHost *:443> > SSLEngine on > SSLCertificateFile "C:\\certs\\ ServerB.crt" > SSLCertificateKeyFile "C:\\certs\\ ServerB.key" > ServerName www. ServerB.com > SSLOptions StrictRequire > SSLProtocol all -SSLv2 > ServerAdmin notice@ ServerB.com > DocumentRoot "C:\\Program Files (x86)\\Apache Software > Foundation\\Apache2.2\\www\\html\\ ServerB " > ErrorLog "C:\\Program Files (x86)\\Apache Software > Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log" > CustomLog "logs/access-ssl-www. ServerB.com" common > </VirtualHost> > > > Here is where my senerio goes very weird. A computer with windows 7 browses > to both location and everything is perfect. > A computer with windows XP browses to the siteA no issue. But if they go to > siteB, the cert for Site A is used on SiteB's load every time no matter what > computer they are on. > The siteB does show the proper site but the cert is the wrong cert. This > fails in Firefox, IE, Safari, Google Chrome on windows XP. > > > > Any suggestions ? > Does this make sense what I am saying? > It looks like you are trying to serve up two different certificates on the same IP address (all addresses of your sever=*) and port (443), depending on the DNS name the browser used to locate the server. This is a very recent extension to the SSL/TLS protocols and is probably only implemented by a few very new browsers, such as the IE version in Windows 7. Older browsers not implementing this recent standard just have no way of telling the server which certificate they want, and so the server uses the first one in its configuration. There are two standard solutions to this problem (until most of the worlds SSL clients implement the extensions): A) Give your server two IP addresses (such as 10.0.0.1 and 10.0.0.2), make www.ServerA.com point to 10.0.0.1 and www.ServerB.com point to 10.0.0.2. Finally, in your Apache config, specify those addresses in place of the * for the different configurations. Benefit: Traditional. Problem: Uses more IPv4 addresses. B) Get the CA to issue a single certificate valid for both server names (e.g. by specifying both names in various certificate fields). Then tell Apache to do normal virtual hosting but with a single SSL certificate. Benefit: Uses only one IPv4 address per server. Problem: Not all combinations of server names can be combined in a single certificate if compatibility with many browser implementations is needed. Others on this list can probabably say which combinations are technically possible, and how. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
