Hi Ron,
R. DuFresne wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm sure this has been answered, but in case it has not;
You can not virtualize https to more then one hostsite, you have to have
real IP addresses for https.
Thanks for your reply.
I understand your confusion. In my post I masked out the first two
numbers of the IP-addresses.
But we do have 4 VirtualHosts on 4 different IP-addresses. As it turned
out (see a previous post), our problem was caused by a misconfigured
reverse DNS.
Frank.
WAXTRAPP BV
van Diemenstraat 366
1013CR Amsterdam
The Netherlands
Phone: +31 (0)20 672 2308
Fax:+31 (0)20 672 2488
http://www.waxtrapp.com
Thanks,
Ron DuFresne
On Wed, 24 May 2006, Frank van Beek wrote:
Hi all,
This morning we migrated 4 of our websites to a new server. Each of
these websites uses a certificate for https connections. We've got
only one Apache instance running with 4 virtual hosts on 4 different
IP-addresses.
This worked fine on the old server. But since the move this morning
Apache sends the certificate for the first VirtualHost to all 4
IP-addresses. Two of these sites need an additional
SSLCertificateChainFile, and this file is send *correctly* depending
on the IP-address. So Apache does see 4 different VirtualHosts, but
somehow ignores the individual SSLCertificateFiles.
Here is the relevant part of httpd.conf for these 4 hosts:
-
Listen xxx.xxx.198.62:443
NameVirtualHost xxx.xxx.198.62:443
SSLEngine On
SSLCertificateChainFile chain1
SSLCertificateFile crt1
SSLCertificateKeyFilekey1
Listen xxx.xxx.198.61:443
NameVirtualHost xxx.xxx.198.61:443
SSLEngine On
SSLCertificateChainFile chain2
SSLCertificateFile crt2
SSLCertificateKeyFilekey2
Listen xxx.xxx.198.63:443
NameVirtualHost xxx.xxx.198.63:443
SSLEngine On
SSLCertificateFile crt3
SSLCertificateKeyFilekey3
Listen xxx.xxx.198.64:443
NameVirtualHost xxx.xxx.198.64:443
SSLEngine On
SSLCertificateFile crt4
SSLCertificateKeyFilekey4
-
The old server is still up and running. I've upgraded Apache on that
system to the same version (2.0.58) and copied httpd.conf to that
machine. The above configuration somehow works correctly there.
I've been trying to debug this using "openssl s_client -state
-connect" and I do see some relevant differences, but I've been unable
to interpret them.
I know this report lacks a lot of possibly relevant details. But I
didn't want to send the whole httpd.conf and all of the terminal
output to this list.
Is there an obvious mistake in my configuration? Or have I stumbled on
a bug in Apache 2.0.58?
Met groet,
Frank.
- -- ~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G
ZcxkcdgHNKCofvRN3Hc5miA=
=BwdU
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]