Re: mod_ssl and name-based virtual hosts
On Tue, 17 Jul 2001, Jan Vejvalka wrote: > NameVirtualHost 1.2.3.4:443 > > > ServerName host1.mydomain.dom > DocumentRoot "/data/host1" > ServerAdmin [EMAIL PROTECTED] > > > > ServerName host2.mydomain.dom > DocumentRoot "/data/host2" > ServerAdmin [EMAIL PROTECTED] > > (...) > > The rest of the virtual host configuration is the same (yes, using the > same certificate for both hosts - I didn't try to change it, and I don't > mind it in this application). > > I'm -sort-of- puzzled. Please help. If you're using the same SSL configuration and the same certificate for both hosts (generally not an option in the real world because of the security alert boxes it brings up in the browser), then you won't _notice_ a problem with namevirtualhost. That's because you're masking the fact that both of the vhosts are using the config of ther FIRST one. The fact that they're the same means it doesn't matter if they each use their own or if they both pick the same one. But like I said, this doesn't work in general because normally each vhost must have a certificate that matches its domain name lest trust error messages get triggered in the browser and scary-looking dialog boxes pop up in front of the user. Make sense? --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
Thanks for the reply. > If you're using the same SSL configuration and the same certificate for > both hosts (generally not an option in the real world because of the > security alert boxes it brings up in the browser), then you won't _notice_ > a problem with namevirtualhost. That's because you're masking the fact > that both of the vhosts are using the config of ther FIRST one. The fact > that they're the same means it doesn't matter if they each use their own > or if they both pick the same one. They're not the same: they have their respective web trees. And the server correctly decides which tree to serve. Which means (in my view) that the server somehow decodes the HOST header field before it decides which v-host to call. Does it mean that the server is clever enough to know that all hosts have the same SSL configuration and to behave accordingly ? This, however, does not work if I use (the same IP address for all hosts) instead of . Still a bit confused. Jan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
Jan, What is the host name (common name) in the certificates ??? I suspect you have used *.mydomain.dom - correct ??? If so, then it is quite simple 1/. browser looks up DNS and gets IP, 2/. browser connects to IP port 443, 3/. apache provides FIRST certificate (which has CN=*.mydomain.dom - which matches BOTH host1 & host2) 4/. browser and apache secure the connection 5/. browser send HTTP request over the secured channel 6/. apache uses the HTTP request to send to appropriate v-host.. 7/. all APPEARS to work fine.. but NOTE!!! - if the certificate of the FIRST v-host does not match the DNS name that the browser is requesting, the browser will generate an error/popup indicating the names do not match... Of course, if you hit simpy hit OK, the browser and apache will still secure the connection - using the FIRST certificate found.. What you have 'can' work ok PROVIDED ALL the v-hosts have the same domain name (only changing the host part) and you use a wildcard certificate.. If you have DIFFERENT domain names, then this will ALWAYS produce an error/popup as described.. Rgds Jeff - Original Message - From: "Jan Vejvalka" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 17, 2001 6:33 PM Subject: Re: mod_ssl and name-based virtual hosts > Thanks for the reply. > > > If you're using the same SSL configuration and the same certificate for > > both hosts (generally not an option in the real world because of the > > security alert boxes it brings up in the browser), then you won't _notice_ > > a problem with namevirtualhost. That's because you're masking the fact > > that both of the vhosts are using the config of ther FIRST one. The fact > > that they're the same means it doesn't matter if they each use their own > > or if they both pick the same one. > > They're not the same: they have their respective web trees. > And the server correctly decides which tree to serve. Which > means (in my view) that the server somehow decodes the HOST > header field before it decides which v-host to call. > Does it mean that the server is clever enough to know that all > hosts have the same SSL configuration and to behave accordingly ? > This, however, does not work if I use > (the same IP address for all hosts) instead of . > > Still a bit confused. > > Jan > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
Jeff, Thanks for the sequence, it's clear now. Just why doesn't it work with the wildcarded VirtualHost ? I didn't come to the idea of the wildcard certificate, and I didn't mind the popup messages. It's better without them, thanks ! Jan > If so, then it is quite simple > 1/. browser looks up DNS and gets IP, > 2/. browser connects to IP port 443, > 3/. apache provides FIRST certificate (which has CN=*.mydomain.dom - which > matches BOTH host1 & host2) > 4/. browser and apache secure the connection > 5/. browser send HTTP request over the secured channel > 6/. apache uses the HTTP request to send to appropriate v-host.. > 7/. all APPEARS to work fine.. > > What you have 'can' work ok PROVIDED ALL the v-hosts have the same domain > name (only changing the host part) and you use a wildcard certificate.. > If you have DIFFERENT domain names, then this will ALWAYS produce an > error/popup .. > > Rgds > Jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
On Tue, Jul 17, 2001 at 06:52:42PM +1000, Jeff wrote: > Jan, > > What is the host name (common name) in the certificates ??? > I suspect you have used *.mydomain.dom - correct ??? > > If so, then it is quite simple > 1/. browser looks up DNS and gets IP, > 2/. browser connects to IP port 443, > 3/. apache provides FIRST certificate (which has CN=*.mydomain.dom - which > matches BOTH host1 & host2) > 4/. browser and apache secure the connection > 5/. browser send HTTP request over the secured channel Note: this is also the time where the Host header is sent, and as such the first time Apache knows which vhost it is supposed to use. > 6/. apache uses the HTTP request to send to appropriate v-host.. > 7/. all APPEARS to work fine.. > Old msie's (< 4) and a few builds in the 4.x and 5.x series does not allow wildcards in certificates (see the archive for this list and openssl-users for details). vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
Jeff wrote: > What is the host name (common name) in the certificates ??? > I suspect you have used *.mydomain.dom - correct ??? Hmm, I'm also using name based virtual hosting with ssl as well, but my cert isn't *.domain.dom, it's just cn=domain.dom. The virtual hosts are of the form sub1.domain.dom and sub2.domain.dom. When I first accessed the domain, my browser asked me to accept the cert, it never said anything about the domain names not matching. I do, however, get the following errors in my apache_ssl_engine_log: Init: (sub1.domain.dom:443) RSA server certificate CommonName (CN) `domain.dom' does NOT match server name!? but otherwise, it doesn't seem to cause any problems except that I have this annoying floating point error... For those who asked previously, I'm running % httpd -version Server version: Apache/1.3.20 (Unix) Server built: May 24 2001 17:21:45 % gcc --version 2.95.3 % uname -v FreeBSD 4.3-STABLE #0: Sat Apr 28 11:05:39 EDT 2001 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl and name-based virtual hosts
can some one send me the proper syntax for setting up name-based virtual host with ssl? I have tried several things and only nonvitrual host seem to work. thanks Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Grant Sent: Wednesday, July 18, 2001 3:52 AM To: [EMAIL PROTECTED] Subject: Re: mod_ssl and name-based virtual hosts Jeff wrote: > What is the host name (common name) in the certificates ??? > I suspect you have used *.mydomain.dom - correct ??? Hmm, I'm also using name based virtual hosting with ssl as well, but my cert isn't *.domain.dom, it's just cn=domain.dom. The virtual hosts are of the form sub1.domain.dom and sub2.domain.dom. When I first accessed the domain, my browser asked me to accept the cert, it never said anything about the domain names not matching. I do, however, get the following errors in my apache_ssl_engine_log: Init: (sub1.domain.dom:443) RSA server certificate CommonName (CN) `domain.dom' does NOT match server name!? but otherwise, it doesn't seem to cause any problems except that I have this annoying floating point error... For those who asked previously, I'm running % httpd -version Server version: Apache/1.3.20 (Unix) Server built: May 24 2001 17:21:45 % gcc --version 2.95.3 % uname -v FreeBSD 4.3-STABLE #0: Sat Apr 28 11:05:39 EDT 2001 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 [EMAIL PROTECTED] wrote: > > can some one send me the proper syntax for setting up name-based virtual > host with ssl? > I have tried several things and only nonvitrual host seem to work. > > thanks > Robert > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Grant > Sent: Wednesday, July 18, 2001 3:52 AM > To: [EMAIL PROTECTED] > Subject: Re: mod_ssl and name-based virtual hosts > > Jeff wrote: > > What is the host name (common name) in the certificates ??? > > I suspect you have used *.mydomain.dom - correct ??? > > Hmm, I'm also using name based virtual hosting with ssl as well, but > my cert isn't *.domain.dom, it's just cn=domain.dom. The virtual > hosts are of the form sub1.domain.dom and sub2.domain.dom. > > When I first accessed the domain, my browser asked me to accept the > cert, it never said anything about the domain names not matching. > > I do, however, get the following errors in my apache_ssl_engine_log: > Init: (sub1.domain.dom:443) RSA server certificate CommonName (CN) > `domain.dom' does NOT match server name!? > > but otherwise, it doesn't seem to cause any problems except that I > have this annoying floating point error... > > For those who asked previously, I'm running > > % httpd -version > Server version: Apache/1.3.20 (Unix) > Server built: May 24 2001 17:21:45 > > % gcc --version > 2.95.3 > > % uname -v > FreeBSD 4.3-STABLE #0: Sat Apr 28 11:05:39 EDT 2001 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl and name-based virtual hosts
Can I assign privet ip's to a virtual host and still server it on the web? Or will I have to buy public ips? thanks Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Magnus Stenman Sent: Monday, July 23, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: mod_ssl and name-based virtual hosts http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 [EMAIL PROTECTED] wrote: > > can some one send me the proper syntax for setting up name-based virtual > host with ssl? > I have tried several things and only nonvitrual host seem to work. > > thanks > Robert > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Grant > Sent: Wednesday, July 18, 2001 3:52 AM > To: [EMAIL PROTECTED] > Subject: Re: mod_ssl and name-based virtual hosts > > Jeff wrote: > > What is the host name (common name) in the certificates ??? > > I suspect you have used *.mydomain.dom - correct ??? > > Hmm, I'm also using name based virtual hosting with ssl as well, but > my cert isn't *.domain.dom, it's just cn=domain.dom. The virtual > hosts are of the form sub1.domain.dom and sub2.domain.dom. > > When I first accessed the domain, my browser asked me to accept the > cert, it never said anything about the domain names not matching. > > I do, however, get the following errors in my apache_ssl_engine_log: > Init: (sub1.domain.dom:443) RSA server certificate CommonName (CN) > `domain.dom' does NOT match server name!? > > but otherwise, it doesn't seem to cause any problems except that I > have this annoying floating point error... > > For those who asked previously, I'm running > > % httpd -version > Server version: Apache/1.3.20 (Unix) > Server built: May 24 2001 17:21:45 > > % gcc --version > 2.95.3 > > % uname -v > FreeBSD 4.3-STABLE #0: Sat Apr 28 11:05:39 EDT 2001 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
[EMAIL PROTECTED] wrote: > > Can I assign privet ip's to a virtual host and still server it on the web? > Or will I have to buy public ips? I assume you are trying to get round the problem of only-one-SSL-host per IP address (otherwise there is no point in doing this for ordinary HTTP). Think it through... suppose you: - set up a public IP on the outside interface of your firewall. - set up many private IPs on your webserver inside the firewall. - connect your webserver to the internal interface of the firewall. All your firewall will receive is an HTTPS request on its public IP address at port 443. How can it decide which internal address to send it to? Remember that it doesn't have a ServerName yet so it can't use that. I don't believe this is possible... I know this is a real nuisance but it is a consequence of how SSL works - all traffic (including the Servername) has to be encrypted so the SSL session has to be established before any HTTP traffic can take place. So only external TCP/IP attributes (IP and port no) can be used to route packets. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl and name-based virtual hosts
No and yes. Although the question is beyond the scope of mod_ssl. Basically, you can't send packets over the 'net to RFC1918 internal IP addresses. A real address has to be used somewhere. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] >Sent: 26 July 2001 14:31 >To: [EMAIL PROTECTED] >Subject: RE: mod_ssl and name-based virtual hosts > > >Can I assign privet ip's to a virtual host and still server it >on the web? >Or will I have to buy public ips? > >thanks >Robert > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Magnus Stenman >Sent: Monday, July 23, 2001 11:51 AM >To: [EMAIL PROTECTED] >Subject: Re: mod_ssl and name-based virtual hosts > > >http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 > >[EMAIL PROTECTED] wrote: >> >> can some one send me the proper syntax for setting up >name-based virtual >> host with ssl? >> I have tried several things and only nonvitrual host seem to work. >> >> thanks >> Robert >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Grant >> Sent: Wednesday, July 18, 2001 3:52 AM >> To: [EMAIL PROTECTED] >> Subject: Re: mod_ssl and name-based virtual hosts >> >> Jeff wrote: >> > What is the host name (common name) in the certificates ??? >> > I suspect you have used *.mydomain.dom - correct ??? >> >> Hmm, I'm also using name based virtual hosting with ssl as well, but >> my cert isn't *.domain.dom, it's just cn=domain.dom. The virtual >> hosts are of the form sub1.domain.dom and sub2.domain.dom. >> >> When I first accessed the domain, my browser asked me to accept the >> cert, it never said anything about the domain names not matching. >> >> I do, however, get the following errors in my apache_ssl_engine_log: >> Init: (sub1.domain.dom:443) RSA server certificate CommonName (CN) >> `domain.dom' does NOT match server name!? >> >> but otherwise, it doesn't seem to cause any problems except that I >> have this annoying floating point error... >> >> For those who asked previously, I'm running >> >> % httpd -version >> Server version: Apache/1.3.20 (Unix) >> Server built: May 24 2001 17:21:45 >> >> % gcc --version >> 2.95.3 >> >> % uname -v >> FreeBSD 4.3-STABLE #0: Sat Apr 28 11:05:39 EDT 2001 >> >> >__ >> Apache Interface to OpenSSL (mod_ssl) >www.modssl.org >> User Support Mailing List > [EMAIL PROTECTED] >> Automated List Manager >[EMAIL PROTECTED] >> >> >__ >> Apache Interface to OpenSSL (mod_ssl) >www.modssl.org >> User Support Mailing List > [EMAIL PROTECTED] >> Automated List Manager >[EMAIL PROTECTED] >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
On Thu, 26 Jul 2001, Owen Boyle wrote: > [EMAIL PROTECTED] wrote: > > > > Can I assign privet ip's to a virtual host and still server it on the web? > > Or will I have to buy public ips? > > I assume you are trying to get round the problem of only-one-SSL-host > per IP address (otherwise there is no point in doing this for ordinary > HTTP). > > Think it through... suppose you: > > - set up a public IP on the outside interface of your firewall. > - set up many private IPs on your webserver inside the firewall. > - connect your webserver to the internal interface of the firewall. > > All your firewall will receive is an HTTPS request on its public IP > address at port 443. How can it decide which internal address to send it > to? Remember that it doesn't have a ServerName yet so it can't use that. > > I don't believe this is possible... > > I know this is a real nuisance but it is a consequence of how SSL works > - all traffic (including the Servername) has to be encrypted so the SSL > session has to be established before any HTTP traffic can take place. So > only external TCP/IP attributes (IP and port no) can be used to route > packets. Actually, this is a problem with how *HTTPS* works - SSL (and TLS) are just channel-level encryption and/or authentication protocols, what you tunnel through them (and what semantic juggling you do with the peer-certificates, such as URL <--> CN comparisons) is up to you. HTTPS is just one common application of SSL/TLS, and in fact was specified retrospectively to try and qualify exactly what existing (unspecified) browser implementations were doing. There have been alternatives suggested by various people (including the person who backfitted the first HTTPS spec to what he saw running), but the chance of the browser-war participants getting involved is slim. Needless to say, I doubt very much that the major ISPs and telcos they do business with are that interested in such ideas either. They would stand to lose traction in the balooning online commerce space (SSL/TLS with virtual hosting means less high-price IP address space sales/leases). This is probably the same reason we won't see IPv6 properly "on the net" until it is absolutely necessary - the cramping IPv4 address space is a valuable problem for some interests to maintain. Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
Geoff Thorpe <[EMAIL PROTECTED]> writes: > Actually, this is a problem with how *HTTPS* works - SSL (and TLS) are just > channel-level encryption and/or authentication protocols, what you tunnel > through them (and what semantic juggling you do with the peer-certificates, such > as URL <--> CN comparisons) is up to you. HTTPS is just one common application > of SSL/TLS, and in fact was specified retrospectively to try and qualify exactly > what existing (unspecified) browser implementations were doing. > > There have been alternatives suggested by various people (including the person > who backfitted the first HTTPS spec to what he saw running), but the chance of > the browser-war participants getting involved is slim. The fix that's currently winding it's way through the system (slowly) is to include the dns_name of the server in the SSL ClientHello. Microsoft, at least, has tentatively supported it but I wouldn't hold your breath. In any case, it will be years before enough browsers support this extension to make it safe to convert your server to name based virtual hosting. -Ekr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
On Fri, 10 Sep 1999, Mike wrote: > Hi everyone > > Please forgive a beginners' possibly ignorant question... My first attempt > at this... > > I have a server with several name based virtual hosts on it. As I > discovered, mod_ssl won't work with name based virtual hosts, for > reasons discussed earlier on this list. > > My question is, will it work if I get a static IP address for the > one virtual host I wish to run mod_ssl on, and keep the rest as name based > virtual hosts? Perhaps someone could be so kind as to point me to an > example config of a couple of name based virtual hosts and one ip based > w/ssl virtual host. > > Many thanks, > Mike This will work just as you'd expect, very well, you don't even have to use two ip's:) ServerName secure.blah.dk SSLEngine on SSLstuff otherstuff ServerName www.blah.dk otherstuff ServerName nosecure.blah.dk otherstuff -- Henrik Olsen, Dawn Solutions I/S URL=http://www.iaeste.dk/~henrik/ HAL: I'm evil. (kills astronauts) Bowman: I must shut you down now, HAL. HAL: Daisy, Daisy...Bowman: Now I must finish this mission alone. (STRANGE THINGS happen, and they MAKE SENSE.) Reader: Wow. I understand the movie now. 2001, Book-A-Minute version __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts (oops)
> This, however, does not work if I use > (the same IP address for all hosts) instead of . > > Still a bit confused. Definitely confused: I turned that just the other way. Now correctly: when I specify the IP address (the same IP for all the SSL v-hosts), it works. When I use the asterisk, it does not. Jan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
