Re: [us...@httpd] ssl certifikate mismatch
On 14.05.10 22:51, Reinhard Vicinus wrote: is the following behaviour of apache 2.2.15 (debian unstable) a feature or a bug? Listen 10.0.0.1:81 VirtualHost 10.0.0.1:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/aaa.crt SSLCertificateKeyFile /etc/apache2/conf/aaa.key ServerName aaa /VirtualHost Listen 10.0.0.2:81 VirtualHost 10.0.0.2:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/bbb.crt SSLCertificateKeyFile /etc/apache2/conf/bbb.key ServerName aaa /VirtualHost curl https://bbb:81 SSL: certificate subject name 'aaa' does not match target host name 'bbb' does 'bbb' point to 10.0.0.2? curl https://10.0.0.2:81 SSL: certificate subject name 'aaa' does not match target host name '10.0.0.2' you can expect this one, when accessing server via IP address. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
On Sun, May 16, 2010 at 3:18 PM, Eric Covener cove...@gmail.com wrote: Listen 10.137.1.104:9901 VirtualHost 10.137.1.104:9901 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9902 VirtualHost 10.137.1.104:9902 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9903 NameVirtualHost 10.137.1.104:9903 VirtualHost 10.137.1.104:9903 Include conf/www.aaa.misc /VirtualHost openssl s_client -connect 10.137.1.104:9902 The certificate www.aaa.at was selected. Certainly looks bogus, fwd'ed to dev@ list Can you show in one terminal session the contents of the two certificates (openssl x509 -in ... -text | grep Subject:) and the console output of s_client that includes the subject? According to one of the active SNI folks, your openssl invocation shouldn't even be providing the SNI extension (by default). -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
On 17/05/10 13:36, Eric Covener wrote: Can you show in one terminal session the contents of the two certificates (openssl x509 -in ... -text | grep Subject:) and the console output of s_client that includes the subject? According to one of the active SNI folks, your openssl invocation shouldn't even be providing the SNI extension (by default). rvici...@laprvicinus:~$ openssl x509 -in /etc/apache2/conf/www.aaa.at.crt -text | grep Subject: Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.aaa.at rvici...@laprvicinus:~$ openssl x509 -in /etc/apache2/conf/www.aaa.de.crt -text | grep Subject: Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=www.aaa.de rvici...@laprvicinus:~$ openssl s_client -connect 10.137.1.104:9902 CONNECTED(0003) depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.aaa.at verify error:num=18:self signed certificate verify return:1 depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.aaa.at verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.aaa.at i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.aaa.at --- Server certificate -BEGIN CERTIFICATE- MIICKzCCAZQCCQCCxKenRx3iHjANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJB VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 cyBQdHkgTHRkMRMwEQYDVQQDEwp3d3cuYWFhLmF0MB4XDTEwMDUxNjE4MDY1NloX DTExMDUxNjE4MDY1NlowWjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3Rh dGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAxMK d3d3LmFhYS5hdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5E3U6jkB8qLK s5JUvzzr++Tw/POKpMQmPtXjgSjypcXCP4ckdCByULJve2fL9wR4ESWn4fsD1kJy LbWlv/ZZxfrza7lrv5Ho/l2gVz/MBmeQbXLVs6JriwiXS8pISPxOdOEzoLbtib8t Abu+521cKkgeRsSBuPFVzTcxbCbdBC8CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAf n97K6AoWDD1uvR4mtXGVGUycC/JLmZWSpmfEjHXDfn/PMj9lPbTLdmSB1QcAqwgY ajBmKxs5ZEOREG46m++W5LLph92ZL3ze6Qi25k2Zr89cSOYF48yhllb9vo1KoPsb Trf9QO804NI2Cok/K8pR4ZPr+MNlO6cXl1/4ohIPCQ== -END CERTIFICATE- subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.aaa.at issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=www.aaa.at --- No client certificate CA names sent --- SSL handshake has read 1130 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: 9C923E93124DDECF8B9D85D91898E8DD2AC19029A7FB0C0F53540407CEE4C7D7 Session-ID-ctx: Master-Key: 2B12F0CFD2851431429FE3EF0A9241FB0B7BFC45223DE7C4AC29CA8B3752D83AE4BDA966D0EB46D126B4128C6AF67E73 Key-Arg : None Start Time: 1274097529 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
On 14/05/10 23:08, Eric Covener wrote: On Fri, May 14, 2010 at 4:51 PM, Reinhard Vicinusr.vici...@metaways.de wrote: Hi, is the following behaviour of apache 2.2.15 (debian unstable) a feature or a bug? Listen 10.0.0.1:81 VirtualHost 10.0.0.1:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/aaa.crt SSLCertificateKeyFile /etc/apache2/conf/aaa.key ServerName aaa /VirtualHost Listen 10.0.0.2:81 VirtualHost 10.0.0.2:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/bbb.crt SSLCertificateKeyFile /etc/apache2/conf/bbb.key ServerName aaa /VirtualHost curl https://bbb:81 SSL: certificate subject name 'aaa' does not match target host name 'bbb' curl https://10.0.0.2:81 SSL: certificate subject name 'aaa' does not match target host name '10.0.0.2' if i remove or change the ServerName directive so that they differ then it works as expected and certificate bbb is returned. If i switch the order of the virtual host configuration certificate bbb is also used if i query 10.0.0.1:81. SNI finds the right name-based vhost based on the normal name-based mechanisms (ServerName/ServerAlias), then uses the cert it finds there -- it doesn't find the right vhost by looking at your certificates. My problem ist that SNI breaks my in older apaches working configuration which looked like this: Listen 10.137.1.104:9901 VirtualHost 10.137.1.104:9901 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9902 VirtualHost 10.137.1.104:9902 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9903 NameVirtualHost 10.137.1.104:9903 VirtualHost 10.137.1.104:9903 Include conf/www.aaa.misc /VirtualHost www.aaa.misc: ServerName www.aaa.de ServerAlias www.aaa.at In my opinion SNI misuses the ServerName/ServerAlias directives, because in the documentation it is clearly stated: Unless a NameVirtualHost directive is used for the exact IP address and port pair in the VirtualHost directive, Apache selects the best match only on the basis of the IP address (or wildcard) and port number. (http://httpd.apache.org/docs/2.2/vhosts/details.html) and therefore it's a bug. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
My problem ist that SNI breaks my in older apaches working configuration which looked like this: Listen 10.137.1.104:9901 VirtualHost 10.137.1.104:9901 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9902 VirtualHost 10.137.1.104:9902 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9903 NameVirtualHost 10.137.1.104:9903 VirtualHost 10.137.1.104:9903 Include conf/www.aaa.misc /VirtualHost www.aaa.misc: ServerName www.aaa.de ServerAlias www.aaa.at In my opinion SNI misuses the ServerName/ServerAlias directives, because in the documentation it is clearly stated: Unless a NameVirtualHost directive is used for the exact IP address and port pair in the VirtualHost directive, Apache selects the best match only on the basis of the IP address (or wildcard) and port number. (http://httpd.apache.org/docs/2.2/vhosts/details.html) and therefore it's a bug. What's the full apachectl -S look like on that config? What was the local host:port the connection was on? What SNI hostname was sent? What certificate was selected? Which certificate do you expect to be selected, and why? -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
What's the full apachectl -S look like on that config? VirtualHost configuration: 10.137.1.104:9903 is a NameVirtualHost default server www.aaa.de (/etc/apache2/sites-enabled/test:19) port 9903 namevhost www.aaa.de (/etc/apache2/sites-enabled/test:19) 10.137.1.104:9901 www.aaa.de (/etc/apache2/sites-enabled/test:2) 10.137.1.104:9902 www.aaa.de (/etc/apache2/sites-enabled/test:10) Syntax OK What was the local host:port the connection was on? 10.137.1.104:9902 What SNI hostname was sent? I think that 10.137.1.104 was sent, but i'm not sure if any SNI hostname was sent. I called it like this: openssl s_client -connect 10.137.1.104:9902 What certificate was selected? Which certificate do you expect to be selected, and why? The certificate www.aaa.at was selected. I would expect that www.aaa.de would be selected because the configuration uses ip based virtual hosting and in the apache documentation it's clearly stated that only the exact IP address and port pair is used for selecting virtual hosts by ip based virtual hosting. Also this configuration worked with older apache versions. - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
Listen 10.137.1.104:9901 VirtualHost 10.137.1.104:9901 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9902 VirtualHost 10.137.1.104:9902 SSLEngine on SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key Include conf/www.aaa.misc /VirtualHost Listen 10.137.1.104:9903 NameVirtualHost 10.137.1.104:9903 VirtualHost 10.137.1.104:9903 Include conf/www.aaa.misc /VirtualHost openssl s_client -connect 10.137.1.104:9902 The certificate www.aaa.at was selected. Certainly looks bogus, fwd'ed to dev@ list -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
Make sure the bbb certificate(bbb.crt) is issued for the Server named bbb. if not try and create a self signed SSL certificate for the server bbb and have a try with the newly created certificate. On 15 May 2010 02:21, Reinhard Vicinus r.vici...@metaways.de wrote: Hi, is the following behaviour of apache 2.2.15 (debian unstable) a feature or a bug? Listen 10.0.0.1:81 VirtualHost 10.0.0.1:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/aaa.crt SSLCertificateKeyFile /etc/apache2/conf/aaa.key ServerName aaa /VirtualHost Listen 10.0.0.2:81 VirtualHost 10.0.0.2:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/bbb.crt SSLCertificateKeyFile /etc/apache2/conf/bbb.key ServerName aaa /VirtualHost curl https://bbb:81 SSL: certificate subject name 'aaa' does not match target host name 'bbb' curl https://10.0.0.2:81 SSL: certificate subject name 'aaa' does not match target host name '10.0.0.2' if i remove or change the ServerName directive so that they differ then it works as expected and certificate bbb is returned. If i switch the order of the virtual host configuration certificate bbb is also used if i query 10.0.0.1:81. Thanks in advance Reinhard - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- With Regards, Sakthi Esakiappan.M Server Administrator MercuryMinds Technologies Pvt Ltd www.mercuryminds.com An E-Commerce mentor +91 44 45588587 sakthi.esakiap...@mercuryminds.com www.mercuryminds.com Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this message in error, you are hereby notified that we do not consent to any reading, dissemination, distribution or copying of this message. If you have received this communication in error, please notify the sender immediately and destroy the transmitted information.
[us...@httpd] ssl certifikate mismatch
Hi, is the following behaviour of apache 2.2.15 (debian unstable) a feature or a bug? Listen 10.0.0.1:81 VirtualHost 10.0.0.1:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/aaa.crt SSLCertificateKeyFile /etc/apache2/conf/aaa.key ServerName aaa /VirtualHost Listen 10.0.0.2:81 VirtualHost 10.0.0.2:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/bbb.crt SSLCertificateKeyFile /etc/apache2/conf/bbb.key ServerName aaa /VirtualHost curl https://bbb:81 SSL: certificate subject name 'aaa' does not match target host name 'bbb' curl https://10.0.0.2:81 SSL: certificate subject name 'aaa' does not match target host name '10.0.0.2' if i remove or change the ServerName directive so that they differ then it works as expected and certificate bbb is returned. If i switch the order of the virtual host configuration certificate bbb is also used if i query 10.0.0.1:81. Thanks in advance Reinhard - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
On Fri, May 14, 2010 at 4:51 PM, Reinhard Vicinus r.vici...@metaways.de wrote: Hi, is the following behaviour of apache 2.2.15 (debian unstable) a feature or a bug? Listen 10.0.0.1:81 VirtualHost 10.0.0.1:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/aaa.crt SSLCertificateKeyFile /etc/apache2/conf/aaa.key ServerName aaa /VirtualHost Listen 10.0.0.2:81 VirtualHost 10.0.0.2:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/bbb.crt SSLCertificateKeyFile /etc/apache2/conf/bbb.key ServerName aaa /VirtualHost curl https://bbb:81 SSL: certificate subject name 'aaa' does not match target host name 'bbb' curl https://10.0.0.2:81 SSL: certificate subject name 'aaa' does not match target host name '10.0.0.2' if i remove or change the ServerName directive so that they differ then it works as expected and certificate bbb is returned. If i switch the order of the virtual host configuration certificate bbb is also used if i query 10.0.0.1:81. SNI finds the right name-based vhost based on the normal name-based mechanisms (ServerName/ServerAlias), then uses the cert it finds there -- it doesn't find the right vhost by looking at your certificates. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] ssl certifikate mismatch
From my experience the configuration file is a top down processing. If you repeat a setting multiple times it will usually take the last setting. In this example it wouldn't surprise me if you repeat the setting of virtual server with the same value, it returns an error trying to match the certificate name on the second certificate. If the virtual server name is not used the reverse DNS lookup finds the appropriate name equivalent to the ip address. Kevin http://kevincastellow.workintel.com On Fri, May 14, 2010 at 4:51 PM, Reinhard Vicinus r.vici...@metaways.dewrote: Hi, is the following behaviour of apache 2.2.15 (debian unstable) a feature or a bug? Listen 10.0.0.1:81 VirtualHost 10.0.0.1:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/aaa.crt SSLCertificateKeyFile /etc/apache2/conf/aaa.key ServerName aaa /VirtualHost Listen 10.0.0.2:81 VirtualHost 10.0.0.2:81 SSLEngine on SSLCertificateFile /etc/apache2/conf/bbb.crt SSLCertificateKeyFile /etc/apache2/conf/bbb.key ServerName aaa /VirtualHost curl https://bbb:81 SSL: certificate subject name 'aaa' does not match target host name 'bbb' curl https://10.0.0.2:81 SSL: certificate subject name 'aaa' does not match target host name '10.0.0.2' if i remove or change the ServerName directive so that they differ then it works as expected and certificate bbb is returned. If i switch the order of the virtual host configuration certificate bbb is also used if i query 10.0.0.1:81. Thanks in advance Reinhard - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
