Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
In the end, I ended up with TWO VirtualHost blocks in the Apache config after all. All works now, as long as you remember to add NameVirtualHost *:443! For reference, the following is my full Apache config for HTTPS on keyserver.zap.org.au: Since some clients don't use SNI, I'ld swap the entries so the hkps-pool entry serves first as default. That way, without SNI capability the hkps-pool certificate is offered. cheers, - Stephan ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
On 06/10/2014 10:41 AM, Stephan Seitz wrote: In the end, I ended up with TWO VirtualHost blocks in the Apache config after all. All works now, as long as you remember to add NameVirtualHost *:443! For reference, the following is my full Apache config for HTTPS on keyserver.zap.org.au: Since some clients don't use SNI, I'ld swap the entries so the hkps-pool entry serves first as default. That way, without SNI capability the hkps-pool certificate is offered. I believe that SNI is considered mandatory for HKPS. If you're talking about web browsers for people manually looking at the sites, then we're talking about only (a) older android clients or (b) IE and safari on Windows XP. I'm not sure how important those are, or whether it's worthwhile to bother with any changes on their behalf. --dkg signature.asc Description: OpenPGP digital signature ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This link might help. https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI However this relies on an extension to TLS calles SNI (server name indication), which sadly isn't implemented in all clients, some less popular or older browsers for example. So it may not work in some cases, depending on the client libraries and the client software. The SW using openssl needs to issue an extra call to make use of it. I think it's SSL_set_tlsext_host_name. But that's not the point. The point is some software doesn't do that. It works without it in most cases, so nobody catches it until somebody complains a decade after HTTPS was coded. :-) By which time nobody remembers how it was done. The safest bet is to have an extra IP address. PS, if you do this, IMHO you might want to watch the logs for a while to see if any problems arise (I saw some crap about SNI when I tested it some time back). PPS anybody has any idea about the PKS/SKS clients out there? I.e. if they do this correctly? I only tested web browsers myself. Martin On 06/01/2014 11:05 PM, John Zaitseff wrote: Hi, I am setting up https://keyserver.zap.org.au/ to be used by hkps.pool.sks-keyservers.net. I am trying to serve different SSL certificates depending on the incoming hostname. Does anyone know if this is possible within the SAME VirtualHost configuration block under Apache? My current configuration includes: VirtualHost *:11372 *:443 ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au ServerAlias *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem Proxy * Order allow,deny Allow from all /Proxy ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 ... /VirtualHost I know I can create a second VirtualHost block with SSLCertificateFile, SSLCertificateKeyFile and SSLCACertificateFile pointing to the sks-keyservers.net-generated certificates, but is it possible to do this within the SAME VirtualHost block, based on environment variables, etc.? Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTi6V0AAoJELsEaSRwbVYr7R4QAKUeoqYhZLNeB1SsHowzG4YB 4p1yllsEgqui174R17vh8ueZoc1jfKWVthLgk42LGrG2ATOlb/1Rr/yRBhnd6+R8 9459NnL419x9AYQ7eF/ijy1lx4iIFjqco+a2qEtfga/6GhSwZ/gwLlnOqGbJmiPP QjxqD26Fs/WADxBbupMbEBPtxgM73zNtP+YiLVxHL9Lp4ITs8Gzog2XIZvPvZ/9L yjF5Ckczce+IhAmsKKHy2k/Qg7pC3DnuNkYr/lA5FJfFSNxIImaq4G0ieDQCRqoZ k7TSkB/fPaxSJhX92zl1Jja22eqtlQnVVuChLdcYoiGpbhvTpyjkR6wn6i4dbFfr QnH6ra1D771t7Q5IK3nbyGSnTxxY31dxZJxTIFLNugwLEtJuXuK4nVMQSPWzRTni ekKwUMDMpC8TP7tYgNOcV12GMYvNJI9pMaGEVsK2rq0QeDCAhVZL48lGpzp+wkvl yQkX9AFoMQarR5NWcHWYqbuth0N/TTG3obxav3DnDYbfsvAwp8WlbR89pj3mplri 5p8i/EQdbKhzIf3JcoiISWBgPYgicLGPwhZR4S71VIfs1siLFpunXmAZAXlg0idf 2pOxh89ocKj7UoOSQT6G6kCN+Y5c+sC14bgw5xwkjrF5k16Wx09LmgFRdByoR4fs EGeCBsD1bhy4GHy+G6hb =A9zy -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
Hi, This link might help. https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI Thanks, Martin. However, I've already read that, and it doesn't answer my specific question. To clarify: I want to serve my own ZAP Group certificate when HTTPS queries come to keyserver.zap.org.au, and the sks-keyservers.net certificate when queries come to *.sks-keyservers.net. Can I do this with ONE VirtualHost block in Apache, or must I use two? Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 AFAIK you need two. I'm sorry, I missed the point, you have a special case (as far as apache is concerned), one virtual host, but two certificates need to be presented on demand. So, AFAIK/IMHO you need to have two virtual hosts just for the sake of this. Never tried this specific setup, as I said, a bit of a special case. Again, I'm sorry I missed the point of the question. Martin On 06/02/2014 01:51 AM, John Zaitseff wrote: Hi, This link might help. https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI Thanks, Martin. However, I've already read that, and it doesn't answer my specific question. To clarify: I want to serve my own ZAP Group certificate when HTTPS queries come to keyserver.zap.org.au, and the sks-keyservers.net certificate when queries come to *.sks-keyservers.net. Can I do this with ONE VirtualHost block in Apache, or must I use two? Yours truly, John Zaitseff -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTi7Q8AAoJELsEaSRwbVYrrdAP/0BN47glWYlZJISHtW0+gxe6 3/G+GC55nzPgivZii3zGMEchuYM72gDswLND6i/IN+TaWRCdGX8xXj4RkkqUfz/K Su2gShXJRm9I+WEDPi/Lq8in34LNue8hPbjKtep2iyZODZGk0B9UrdNuvxzRqJw5 1NNUECf+kWxeRobbwjU/yVixzSv8+azb7ylnvICaejTl3piVlcSLuiDZ1hIT6HUv FpQ5Dtg7Dn70nb6ou5RSgbQF7yMbwFc6DQGlLRWx/KzSFNFYuHjhp0T6ZIbXGUOt kNokeizMyLlBDKv0CVsiURruY6j8oKTTlyNdBcw3A9ww+dIF57kTip+GY4620mnZ gnp2bMMtuoklkPGbePGeT94XEcH7wYKR8n6MWzb9qWCuksnjgdYT2xkLiN41wlPd B9798EPZ5kgSSDoCxrDREUK7a/1np8Xeoa1LmmQBQaUBiqJP7jJBgFWDiyVbQ20x Guz/ZJ1iV8zFEfp8Z1OJNzRj9VsrMVtyCBEPzo753RSbwi+WPXmRWSSyKWdtsLax Fpd9JEfiYN7Qk1E1ozmXmMxe2GAVKTIT2k7ExYrt7kyfczccWuPAvNqtgLTOrWMz idBwwBsf1enZp68zBnJc5RI7n+osHBHseZuA8Zt5UMMfbEGuZm8TkeQve0EdfSjM 1lBbtVK1JZ/vVMmjidn9 =2PQ9 -END PGP SIGNATURE- ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
Re: [Sks-devel] Question: serving two different SSL certificates under Apache?
Hi, Phil et al., To clarify: I want to serve my own ZAP Group certificate when HTTPS queries come to keyserver.zap.org.au, and the sks-keyservers.net certificate when queries come to *.sks-keyservers.net. Can I do this with ONE VirtualHost block in Apache, or must I use two? I can't definitively say that one block might not be made to work: never discount human ingenuity. I can say that it would be interesting to see. In the end, I ended up with TWO VirtualHost blocks in the Apache config after all. All works now, as long as you remember to add NameVirtualHost *:443! For reference, the following is my full Apache config for HTTPS on keyserver.zap.org.au: # /etc/apache2/sites-available/zapgroup-keyserver-ssl: Keyserver website server configuration # [JNZ] Modified 02-Jun-2014 for keyserver.zap.org.au Listen *:11372 Listen *:443 NameVirtualHost *:11372 NameVirtualHost *:443 VirtualHost *:11372 *:443 ServerAdmin keymas...@zap.org.au ServerName keyserver.zap.org.au SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem Proxy * Order allow,deny Allow from all /Proxy ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch MSIE [2-6] \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch MSIE [17-9] ssl-unclean-shutdown /VirtualHost VirtualHost *:11372 *:443 ServerAdmin keymas...@zap.org.au ServerName hkps.pool.sks-keyservers.net ServerAlias *.pool.sks-keyservers.net *.sks-keyservers.net SSLEngine on # Only allow secure ciphers and protocols: SSLv3 and TLSv1 SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 SSLCertificateFile /etc/ssl/certs/keyserver-sks.pem SSLCertificateKeyFile /etc/ssl/private/keyserver.pem SSLCACertificateFile /etc/ssl/certs/sks-keyservers.netCA.pem Proxy * Order allow,deny Allow from all /Proxy ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 #RequestHeader unset Expect early ErrorLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/hosted/keyserver.zap.org.au-ssl-hkps--access.log combined_ssl ServerSignature On # Work around SSL (and other) problems in Microsoft Internet Explorer # (see default-ssl and /usr/share/doc/apache2.2-common/README.Debian.gz # for more information). BrowserMatch MSIE [2-6] \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch MSIE [17-9] ssl-unclean-shutdown /VirtualHost Yours truly, John Zaitseff -- John Zaitseff,--_|\The ZAP Group Phone: +61 2 9643 7737 / \ Sydney, Australia E-mail: j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v ___ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel