SSL Virtual Host with Port Translation
Hi A customer has the following setup with Apache/mod_ssl: One virtual host on port 5100, which is tranlated to port 443 by the firewall. One virtual host on port 5000, which is not translated by the firewall. Both virtual hosts use SSL Client Authentication. While the untranslated virtual host works without problems, the translated one does not. The handhsake seems to happen (the client certificate is requested and the server certificate is checked by the client), but after that, the connection is then lost. Is there a general problem with port tranlation (couldn't think of any) or has anybody expierienced similar problems? Bye Tim Log File: 07/Apr/2002 15:19:10 26023] [info] Server: Apache/1.3.24, Interface: mod_ssl/2.8.8, Library: OpenSSL/0.9.6b[07/Apr/2002 15:19:10 26023] [info] Init: 1st startup round (still not detached)[07/Apr/2002 15:19:10 26023] [info] Init: Initializing OpenSSL library[07/Apr/2002 15:19:10 26023] [info] Init: Loading certificate private key of SSL-aware server ebanking.hbl.ch:5100[07/Apr/2002 15:19:10 26023] [info] Init: Requesting pass phrase via builtin terminal dialog[07/Apr/2002 15:19:11 26023] [info] Init: Loading certificate private key of SSL-aware server telebanking.hbl.ch:5100[07/Apr/2002 15:19:11 26023] [info] Init: Requesting pass phrase via builtin terminal dialog[07/Apr/2002 15:19:12 26023] [info] Init: Wiped out the queried pass phrases from memory[07/Apr/2002 15:19:12 26023] [info] Init: Seeding PRNG with 136 bytes of entropy[07/Apr/2002 15:19:12 26023] [info] Init: Generating temporary RSA private keys (512/1024 bits)[07/Apr/2002 15:19:13 26023] [info] Init: Configuring temporary DH parameters (512/1024 bits)[07/Apr/2002 15:19:13 26024] [info] Init: 2nd startup round (already detached)[07/Apr/2002 15:19:13 26024] [info] Init: Reinitializing OpenSSL library[07/Apr/2002 15:19:13 26024] [info] Init: Seeding PRNG with 136 bytes of entropy[07/Apr/2002 15:19:13 26024] [info] Init: Configuring temporary RSA private keys (512/1024 bits)[07/Apr/2002 15:19:13 26024] [info] Init: Configuring temporary DH parameters (512/1024 bits)[07/Apr/2002 15:19:13 26024] [info] Init: Initializing (virtual) servers for SSL[07/Apr/2002 15:19:13 26024] [info] Init: Configuring server ebanking.hbl.ch:5100 for SSL protocol[07/Apr/2002 15:19:13 26024] [warn] Init: (ebanking.hbl.ch:5100) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)[07/Apr/2002 15:19:13 26024] [info] Init: Configuring server telebanking.hbl.ch:5100 for SSL protocol[07/Apr/2002 15:19:13 26024] [info] Init: (telebanking.hbl.ch:5100) RSA server certificate enables Server Gated Cryptography (SGC)[07/Apr/2002 15:20:14 26025] [info] Connection to child 0 established (server telebanking.hbl.ch:5100, client 172.16.1.206)[07/Apr/2002 15:20:14 26025] [info] Seeding PRNG with 23177 bytes of entropy[07/Apr/2002 15:20:14 26025] [info] Connection: Client IP: 172.16.1.206, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)[07/Apr/2002 15:20:14 26025] [info] Connection to child 0 closed with standard shutdown (server telebanking.hbl.ch:5100, client 172.16.1.206)[07/Apr/2002 15:20:15 26027] [info] Connection to child 2 established (server telebanking.hbl.ch:5100, client 172.16.1.206)[07/Apr/2002 15:20:15 26027] [info] Seeding PRNG with 23177 bytes of entropy[07/Apr/2002 15:20:15 26027] [info] Connection: Client IP: 172.16.1.206, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)[07/Apr/2002 15:20:15 26027] [info] Initial (No.1) HTTPS request received for child 2 (server telebanking.hbl.ch:5100)[07/Apr/2002 15:20:15 26027] [info] Connection to child 2 closed with unclean shutdown (server telebanking.hbl.ch:5100, client 172.16.1.206) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl virtual host IP's
Sir SoilentG_kov wrote: I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Correct. Also, port based... Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. It is entirely possible. Any single interface card (i.e. the physical device, e.g. eth0) can listen to many IP addresses. On an internet connected unix machine the basic procedure is: - obtain two IP addresses (on the same network - e.g. 192.168.1.1 and 192.168.1.2) - define your two sites in DNS (these two points are done via your ISP usually) - use ifconfig to make your NIC listen to the two IPs (see man pages for more detail on this command) - configure apache to Listen to the two IPs and - define two VHs for each IP e.g. Listen 192.168.1.1 VirtualHost 192.168.1.1 ServerName www.site1.com DocumentRoot /path/to/site1 /VirtualHost Listen 192.168.1.2 VirtualHost 192.168.1.2 ServerName www.site2.com DocumentRoot /path/to/site2 /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl virtual host IP's
thanks, FYI i used Linuxconf instead of ifconfig (newbie here) and it works like a champ. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Owen Boyle Sent: Tuesday, February 05, 2002 12:38 AM To: [EMAIL PROTECTED] Subject: Re: ssl virtual host IP's Sir SoilentG_kov wrote: I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Correct. Also, port based... Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. It is entirely possible. Any single interface card (i.e. the physical device, e.g. eth0) can listen to many IP addresses. On an internet connected unix machine the basic procedure is: - obtain two IP addresses (on the same network - e.g. 192.168.1.1 and 192.168.1.2) - define your two sites in DNS (these two points are done via your ISP usually) - use ifconfig to make your NIC listen to the two IPs (see man pages for more detail on this command) - configure apache to Listen to the two IPs and - define two VHs for each IP e.g. Listen 192.168.1.1 VirtualHost 192.168.1.1 ServerName www.site1.com DocumentRoot /path/to/site1 /VirtualHost Listen 192.168.1.2 VirtualHost 192.168.1.2 ServerName www.site2.com DocumentRoot /path/to/site2 /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl virtual host IP's
Lat time I checked, and perhaps it has been updated and fixed, it was not a few mere weeks ago, Linuxconf was an open security hole waiting for exploitation. You may want to fix that. Thanks, Ron DuFresne On Tue, 5 Feb 2002, Sir SoilentG_kov wrote: thanks, FYI i used Linuxconf instead of ifconfig (newbie here) and it works like a champ. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Owen Boyle Sent: Tuesday, February 05, 2002 12:38 AM To: [EMAIL PROTECTED] Subject: Re: ssl virtual host IP's Sir SoilentG_kov wrote: I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Correct. Also, port based... Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. It is entirely possible. Any single interface card (i.e. the physical device, e.g. eth0) can listen to many IP addresses. On an internet connected unix machine the basic procedure is: - obtain two IP addresses (on the same network - e.g. 192.168.1.1 and 192.168.1.2) - define your two sites in DNS (these two points are done via your ISP usually) - use ifconfig to make your NIC listen to the two IPs (see man pages for more detail on this command) - configure apache to Listen to the two IPs and - define two VHs for each IP e.g. Listen 192.168.1.1 VirtualHost 192.168.1.1 ServerName www.site1.com DocumentRoot /path/to/site1 /VirtualHost Listen 192.168.1.2 VirtualHost 192.168.1.2 ServerName www.site2.com DocumentRoot /path/to/site2 /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl virtual host IP's
Ron, can you be more specific as to what security hole or who could exploit it? I have sole access directly to my webserver so far as a real terminal. I allow SSH for only a couple of non-root users and that is key based authentication and my FTP is chrooted to the users home folder. i'm starting to get into IP Tables. My server is NAT'ed behind a modem and the webmin port is not open. I figure if someone can get in and exploit Linuxconf then I'm hosed even if I un-install it cuz they can merely get in. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of R. DuFresne Sent: Tuesday, February 05, 2002 9:17 AM To: [EMAIL PROTECTED] Subject: RE: ssl virtual host IP's Lat time I checked, and perhaps it has been updated and fixed, it was not a few mere weeks ago, Linuxconf was an open security hole waiting for exploitation. You may want to fix that. Thanks, Ron DuFresne On Tue, 5 Feb 2002, Sir SoilentG_kov wrote: thanks, FYI i used Linuxconf instead of ifconfig (newbie here) and it works like a champ. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Owen Boyle Sent: Tuesday, February 05, 2002 12:38 AM To: [EMAIL PROTECTED] Subject: Re: ssl virtual host IP's Sir SoilentG_kov wrote: I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Correct. Also, port based... Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. It is entirely possible. Any single interface card (i.e. the physical device, e.g. eth0) can listen to many IP addresses. On an internet connected unix machine the basic procedure is: - obtain two IP addresses (on the same network - e.g. 192.168.1.1 and 192.168.1.2) - define your two sites in DNS (these two points are done via your ISP usually) - use ifconfig to make your NIC listen to the two IPs (see man pages for more detail on this command) - configure apache to Listen to the two IPs and - define two VHs for each IP e.g. Listen 192.168.1.1 VirtualHost 192.168.1.1 ServerName www.site1.com DocumentRoot /path/to/site1 /VirtualHost Listen 192.168.1.2 VirtualHost 192.168.1.2 ServerName www.site2.com DocumentRoot /path/to/site2 /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ssl virtual host IP's
I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. thanks for bearing with me, Jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Virtual Host Problems, pls help
Hi, I have configured the following virtual host with ssl enabled. But I got keep the error from the browser stating that The page cannot be displayed using internet explorer. Port 80 Listen 80 Listen 443 Servername www.domain.com DocumentRoot "/home/domain" IfDefine SSL Listen 443 /IfDefine VirtualHost 192.168.42:80 ServerName www.domain.com DocumentRoot "/home/domain" /VirtualHost VirtualHost 192.168.42:80 ServerName www.domain1.com DocumentRoot "/home/domain1" /VirtualHost VirtualHost 192.168.42:80 ServerName www.domain2.com DocumentRoot "/home/domain2" /VirtualHost VirtualHost 192.168.42:443 ServerName www.domain.com DocumentRoot "/home/domain" /VirtualHost When I try http://www.domain.com/index.phtml. Then the page can be displayed. But when I try https://www.domain.com/index.phtml. Then the error messages pops-up stating that "The page cannot be displayed". Please point me out what the error is. Thanks in Advance. Thank you so much for your help Mark Lo
Re: SSL Virtual Host Problems, pls help
Mark Lo wrote: Hi, I have configured the following virtual host with ssl enabled. But I got keep the error from the browser stating that The page cannot be displayed using internet explorer. Hi Mark, I don't know if you have missed out things in the config but there are quite a few errors. I've marked my comments with "***": Port 80 Listen 80 Listen 443 Servername www.domain.com DocumentRoot "/home/domain" IfDefine SSL Listen 443 /IfDefine *** This is a bit redundant since you already Listen 443 *** Your IP addresses below don't make sense - you need 4 groups of numbers, e.g. 192.168.22.42 then the port number (but I guess this is just a typo). *** If you are going to have many VHs on the same IP and Port you need the following directive: NameVirtualHost 192.168.22.42:80 VirtualHost 192.168.42:80 ServerName www.domain.com DocumentRoot "/home/domain" /VirtualHost VirtualHost 192.168.42:80 ServerName www.domain1.com DocumentRoot "/home/domain1" /VirtualHost VirtualHost 192.168.42:80 ServerName www.domain2.com DocumentRoot "/home/domain2" /VirtualHost VirtualHost 192.168.42:443 ServerName www.domain.com DocumentRoot "/home/domain" /VirtualHost *** Now in your SSL Vh you have to switch on SSL, so add the directive: SSLEngine On *** And give it a certificate and key e.g. When I try http://www.domain.com/index.phtml. Then the page can be displayed. But when I try https://www.domain.com/index.phtml. Then the error messages pops-up stating that "The page cannot be displayed". Please point me out what the error is. Thanks in Advance. Thank you so much for your help Mark Lo -- SWX Swiss Exchange, 10 Cours de Rive, 1211 Geneve 3 --+- Phone: +41 (0)22 849 5648 | Fax: +41 (0)22 849 5643 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL virtual host
On Fri, Aug 25, 2000 at 01:06:50AM +0800, Mark Lo wrote: Hi, Is it possible to host multiple domain name with SSL enabled for only using one IP address? Only if you're willing to use non standard ports ... read the FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#vhosts vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL virtual host
Hi, Is it possible to host multiple domain name with SSL enabled for only using one IP address? Thank You Mark Lo