Re: Issue with clients Operating System on certs
Hi, You Apache configuration uses SNI (Server Name Indication) which is not supported on Windows XP using IE, Safari and Chrome. The client must be running under Windows Vista and higher in order for SNI to work. That being said, you are saying in your message that Firefox fails to support SNI under XP and that surprises me because it's supposed to work starting from 2.0 and up, independently from the OS. What version of Firefox are using under XP? -- Mounir IDRASSI IDRIX http://www.idrix.fr On 7/16/2010 3:31 PM, Richard Buskirk wrote: I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. *Server:* Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 *httpd-vhost.conf* ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB’s load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? Richard L. Buskirk Senior Software Developer __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Issue with clients Operating System on certs
On 16-07-2010 15:31, Richard Buskirk wrote: I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 httpd-vhost.conf ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB's load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? It looks like you are trying to serve up two different certificates on the same IP address (all addresses of your sever=*) and port (443), depending on the DNS name the browser used to locate the server. This is a very recent extension to the SSL/TLS protocols and is probably only implemented by a few very new browsers, such as the IE version in Windows 7. Older browsers not implementing this recent standard just have no way of telling the server which certificate they want, and so the server uses the first one in its configuration. There are two standard solutions to this problem (until most of the worlds SSL clients implement the extensions): A) Give your server two IP addresses (such as 10.0.0.1 and 10.0.0.2), make www.ServerA.com point to 10.0.0.1 and www.ServerB.com point to 10.0.0.2. Finally, in your Apache config, specify those addresses in place of the * for the different configurations. Benefit: Traditional. Problem: Uses more IPv4 addresses. B) Get the CA to issue a single certificate valid for both server names (e.g. by specifying both names in various certificate fields). Then tell Apache to do normal virtual hosting but with a single SSL certificate. Benefit: Uses only one IPv4 address per server. Problem: Not all combinations of server names can be combined in a single certificate if compatibility with many browser implementations is needed. Others on this list can probabably say which combinations are technically possible, and how. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Issue with clients Operating System on certs
This makes sense to me. Mounir IDRASSI talked about the SNI which made sense but the solution was not an option. Your suggestion is a little complex to setup in my load balancer, but very doable and does not create a OS or Browser requirement. I am very new to this list but you guys rock, I guess I was expecting the typical list responses, not intellegent ones like you guys gave. Thank you. Richard L. Buskirk Senior Software Developer Indatus -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, July 16, 2010 10:07 AM To: openssl-users@openssl.org Subject: Re: Issue with clients Operating System on certs On 16-07-2010 15:31, Richard Buskirk wrote: I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 httpd-vhost.conf ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB's load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? It looks like you are trying to serve up two different certificates on the same IP address (all addresses of your sever=*) and port (443), depending on the DNS name the browser used to locate the server. This is a very recent extension to the SSL/TLS protocols and is probably only implemented by a few very new browsers, such as the IE version in Windows 7. Older browsers not implementing this recent standard just have no way of telling the server which certificate they want, and so the server uses the first one in its configuration. There are two standard solutions to this problem (until most of the worlds SSL clients implement the extensions): A) Give your server two IP addresses (such as 10.0.0.1 and 10.0.0.2), make www.ServerA.com point to 10.0.0.1 and www.ServerB.com point to 10.0.0.2. Finally, in your Apache config, specify those addresses in place of the * for the different configurations. Benefit: Traditional. Problem: Uses more IPv4 addresses. B) Get the CA to issue a single certificate valid for both server names (e.g. by specifying both names in various certificate fields). Then tell Apache to do normal virtual hosting but with a single SSL certificate. Benefit: Uses only one IPv4 address per server. Problem: Not all combinations of server names can be combined in a single certificate if compatibility with many browser implementations is needed. Others on this list can probabably say which combinations are technically possible, and how. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
