Re: Running with mutliple keys
On Fri, Jun 23, 2000, Thomas A. Halter wrote: > How do you run multiple secure domains on the same server? I tried and it > was not working and I could find no FAQ's or guidance on the subject. I > have two sites, with two seperate keys and crt's. Can they run on the same > server or must they run on seperate servers? > I would appreciate any help that anyone can provide me. They can be served by the same Apache run-time instance. All you have to do is configure separate for the individual domains. See the Apache documentation on virtual hosting for details, please. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
on 25/6/00 4:41 AM, Ralf S. Engelschall at [EMAIL PROTECTED] wrote: > On Fri, Jun 23, 2000, Thomas A. Halter wrote: > >> How do you run multiple secure domains on the same server? I tried and it >> was not working and I could find no FAQ's or guidance on the subject. I >> have two sites, with two seperate keys and crt's. Can they run on the same >> server or must they run on seperate servers? >> I would appreciate any help that anyone can provide me. > > They can be served by the same Apache run-time instance. All you have to do > is configure separate for the individual domains. See the > Apache documentation on virtual hosting for details, please. > Isn't it only work on hardware virtual hosting (i.e. one unique IP address for one SSL site)? The documentation explained the "chicken-and-egg" issue regarding the SSL implementation. Or perhaps there are now possible way to use software virtual hosting (i.e. named based, one unique IP address for multiple virtual domain) __ Yeak Nai Siew [NIC:NY628] << Mac OS Forever >> << Linux Forever>> ([EMAIL PROTECTED] | [EMAIL PROTECTED]) http://www.md.com.my/ e-certificate http://www.brainbench.com/transcript.jsp?pid=120196 AIM: NaiSiew Chief Technology Officer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
Yeak Nai Siew wrote: > > on 25/6/00 4:41 AM, Ralf S. Engelschall at [EMAIL PROTECTED] wrote: > > > On Fri, Jun 23, 2000, Thomas A. Halter wrote: > > > >> How do you run multiple secure domains on the same server? I tried and it > >> was not working and I could find no FAQ's or guidance on the subject. I > >> have two sites, with two seperate keys and crt's. Can they run on the same > >> server or must they run on seperate servers? 1) They must run on the same server. 2) The keys have to have same password. 3) They need different IPs. > > They can be served by the same Apache run-time instance. All you have to do > > is configure separate for the individual domains. See the > > Apache documentation on virtual hosting for details, please. > > Isn't it only work on hardware virtual hosting (i.e. one unique IP address > for one SSL site)? The documentation explained the "chicken-and-egg" issue > regarding the SSL implementation. Or perhaps there are now possible way to > use software virtual hosting (i.e. named based, one unique IP address for > multiple virtual domain) There is no hardware vs. software virtual hosting (the same network card will do for all IPs). The SSL handshake has to take place before the HTTP request is passed to the server, in order to secure the content of the request (it can contain sensitive info). Therefore if the same IP has several virtual secure sites, there is no way for the server to know which one was called at the time of the handshake. Note that you still can have as many non secure sites for the same IP as you want. Some people on this list did experiment with passing the servername during the handshake. I haven't heard anyone reporting success. Anyone? S/MIME Cryptographic Signature
Re: Running with mutliple keys
On Sat, Jun 24, 2000 at 10:55:17PM -0600, Balazs Nagy wrote: [SNIP] > 2) The keys have to have same password. There should be no problem using different passwords. [SNIP] > > Some people on this list did experiment with passing the servername during the > handshake. I haven't heard anyone reporting success. Anyone? If I remember it correctly, then there was some talk about extending the TLS standard to handle that - but AFAIK nothing like that has happened in openssl. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
On Sun, Jun 25, 2000, Mads Toftum wrote: > [SNIP] > > 2) The keys have to have same password. > > There should be no problem using different passwords. Yes, mod_ssl recognizes this automatically and re-uses the pass-phrase. So even if one have multiple keys encrypted with the same pass-phrase one only has to enter the pass-phrase once at startup. > [SNIP] > > > > Some people on this list did experiment with passing the servername during the > > handshake. I haven't heard anyone reporting success. Anyone? > > If I remember it correctly, then there was some talk about extending the TLS > standard to handle that - but AFAIK nothing like that has happened in openssl. AFAIK the TLS standard will be not changed for this. But there are drafts (or are they already final RFCs?) which describe an "upgrade mechanism" for HTTP connections which allows one to first send a plain HTTP request (including the Host: field), then perform a step-up to SSL/TLS and then transfer the response already encrypted. And because here the Host: header is seen before the SSL/TLS handshake is performed, this implicitly solves the name based virtual hosting issues. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
Ralf, When I set them up that way, the 2nd one is always answered with the key for the first, causing a signature warning on the browser. How do I avoid that? IS there something special I have to do with the crt's? keys? I've run several normal vhosts without incident or problem, it is just the secure ones that are getting me. Tom On Sat, 24 Jun 2000, you wrote: > On Fri, Jun 23, 2000, Thomas A. Halter wrote: > > > How do you run multiple secure domains on the same server? I tried and it > > was not working and I could find no FAQ's or guidance on the subject. I > > have two sites, with two seperate keys and crt's. Can they run on the same > > server or must they run on seperate servers? > > I would appreciate any help that anyone can provide me. > > They can be served by the same Apache run-time instance. All you have to do > is configure separate for the individual domains. See the > Apache documentation on virtual hosting for details, please. > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Thomas A. Halter Senior Systems Administrator ProShells Premium Connectivity Solutions http://www.proshells.com [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
On Sat, Jun 24, 2000, Thomas A. Halter wrote: > When I set them up that way, the 2nd one is always answered with the key > for the first, causing a signature warning on the browser. How do I avoid > that? IS there something special I have to do with the crt's? keys? > > I've run several normal vhosts without incident or problem, it is just > the secure ones that are getting me. > > > > How do you run multiple secure domains on the same server? I tried and it > > > was not working and I could find no FAQ's or guidance on the subject. I > > > have two sites, with two seperate keys and crt's. Can they run on the same > > > server or must they run on seperate servers? > > > I would appreciate any help that anyone can provide me. > > > > They can be served by the same Apache run-time instance. All you have to do > > is configure separate for the individual domains. See the > > Apache documentation on virtual hosting for details, please. If the 2nd is answered with the key of the 1st, then you are using name-based virtual hosts and not IP-based virtual hosts. Read the mod_ssl FAQ why you need IP-based virtual hosts. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
Mads Toftum wrote: > > On Sat, Jun 24, 2000 at 10:55:17PM -0600, Balazs Nagy wrote: > > [SNIP] > > 2) The keys have to have same password. > > There should be no problem using different passwords. The mod_ssl I use only asks the password once, and uses it for all keys. I don't know how to make it ask a passwords per each key while using the standard passwd dialog. S/MIME Cryptographic Signature
Re: Running with mutliple keys
On Sun, Jun 25, 2000 at 11:05:22AM -0600, Balazs Nagy wrote: > > The mod_ssl I use only asks the password once, and uses it for all keys. I > don't know how to make it ask a passwords per each key while using the standard > passwd dialog. You can do that simply by having different passwords for the keys. Basically mod_ssl will try to decrypt the private key with all the passwords that has been entered previously, and only if that fails, it will ask you for a password. See the manual: http://www.modssl.org/docs/2.6/ssl_reference.html#ToC2 and http://marc.theaimsgroup.com/?l=apache-modssl&m=96193908231776&w=2 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
On Sun, Jun 25, 2000 at 03:16:00PM +0200, Ralf S. Engelschall wrote: > > AFAIK the TLS standard will be not changed for this. But there are drafts (or > are they already final RFCs?) which describe an "upgrade mechanism" for HTTP > connections which allows one to first send a plain HTTP request (including the > Host: field), then perform a step-up to SSL/TLS and then transfer the response > already encrypted. And because here the Host: header is seen before the > SSL/TLS handshake is performed, this implicitly solves the name based virtual > hosting issues. Yes, that was it. I don't really like the idea very much - it sounds like a dirty hack to me. And as long as none of the major browsers support it, there's not much fun in it at all (unless M$ suddenly choose to change that very fast ;-) I'd much rather see a solution along the lines of adding CNAME's to the certirficate as x.509v3 extensions[1] or alternatively just wait for ip v6. [1] No, I'm not working for a CA (any longer) and hoping to sell a few extra certs by using such a scheme ;-) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
Mads Toftum wrote: > > On Sun, Jun 25, 2000 at 11:05:22AM -0600, Balazs Nagy wrote: > > > > The mod_ssl I use only asks the password once, and uses it for all keys. I > > don't know how to make it ask a passwords per each key while using the standard > > passwd dialog. > > You can do that simply by having different passwords for the keys. > Basically mod_ssl will try to decrypt the private key with all the > passwords that has been entered previously, and only if that fails, > it will ask you for a password. See the manual: > http://www.modssl.org/docs/2.6/ssl_reference.html#ToC2 and > http://marc.theaimsgroup.com/?l=apache-modssl&m=96193908231776&w=2 Mads, I have no doubts that you know how it is supposed to work. However, it did not work for me. The other passphrase request never showed up. That's when I signed up for this list, and someone told me that I have to use the same passphrase. I did, and it worked. Do not misunderstand me, I do not mean to argue. In fact I bow in front of your deep knowledge and I apologize for wasting anyone's time with this thread on this list. S/MIME Cryptographic Signature
Re: Running with mutliple keys
On Sun, Jun 25, 2000 at 11:56:45AM -0600, Balazs Nagy wrote: > > Mads, I have no doubts that you know how it is supposed to work. However, it > did not work for me. The other passphrase request never showed up. That's when > I signed up for this list, and someone told me that I have to use the same > passphrase. I did, and it worked. > > Do not misunderstand me, I do not mean to argue. In fact I bow in front of your > deep knowledge and I apologize for wasting anyone's time with this thread on > this list. I'm not saying that there isn't a bug, I'm just saying that it is supposed to work that way. I just looked back into the list archive and could see that we've had this discussion before ;-) Are you still using mod_ssl 2.2.8? Looking through the changes file I can see several changes to the passphrase handling code - it may very well have been fixed since then. I'll try it out with one of the latest versions in a couple of days just to make sure that it doesn't have the same problem. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
Mads Toftum wrote: > I'm not saying that there isn't a bug, I'm just saying that it is supposed to > work that way. I just looked back into the list archive and could see that > we've had this discussion before ;-) Are you still using mod_ssl 2.2.8? Till Sept 20, 'cause in US I am, and therefore on Red Hat I depend. ;-) > Looking through the changes file I can see several changes to the passphrase > handling code - it may very well have been fixed since then. I'll try it out > with one of the latest versions in a couple of days just to make sure that > it doesn't have the same problem. Thanks a lot Mads. S/MIME Cryptographic Signature
Re: Running with mutliple keys
Gentlemen, Thank you for the assistance. I knew it was something simple I was missing. Change a name to an IP and what do ya know, it works. Sometimes it is the simplest things that get ya. T. Halter -- Thomas A. Halter Senior Systems Administrator ProShells Premium Connectivity Solutions http://www.proshells.com [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
Balazs Nagy wrote: > > Do not misunderstand me, I do not mean to argue. In fact I bow in front of your > deep knowledge and I apologize for wasting anyone's time with this thread on > this list. careful - the clowns on this list are just like all other bozo's ... ... Just trying to prevent explosions from head expansion. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Running with mutliple keys
On Sun, Jun 25, 2000, Mads Toftum wrote: > > AFAIK the TLS standard will be not changed for this. But there are drafts (or > > are they already final RFCs?) which describe an "upgrade mechanism" for HTTP > > connections which allows one to first send a plain HTTP request (including the > > Host: field), then perform a step-up to SSL/TLS and then transfer the response > > already encrypted. And because here the Host: header is seen before the > > SSL/TLS handshake is performed, this implicitly solves the name based virtual > > hosting issues. > > Yes, that was it. > I don't really like the idea very much - it sounds like a dirty hack to me. Yes, it is a hack, indeed. One only can say that this approach at least nicely fits into the set of other SSL/TLS kludges for other protocols (SMTP's STARTLS, Telnet's SSL support, etc ;) But that's all... > And as long as none of the major browsers support it, there's not much fun > in it at all (unless M$ suddenly choose to change that very fast ;-) > I'd much rather see a solution along the lines of adding CNAME's to the > certirficate as x.509v3 extensions[1] or alternatively just wait for ip v6. Yes, agreed, Mads. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
