Re: [users@httpd] ssl certifikate mismatch

Sun, 16 May 2010 04:42:42 -0700 

On 14/05/10 23:08, Eric Covener wrote:

On Fri, May 14, 2010 at 4:51 PM, Reinhard Vicinus<r.vici...@metaways.de>  wrote:

Hi,

is the following behaviour of apache 2.2.15 (debian unstable) a feature or a
bug?

Listen 10.0.0.1:81
<VirtualHost 10.0.0.1:81>
  SSLEngine on
  SSLCertificateFile /etc/apache2/conf/aaa.crt
  SSLCertificateKeyFile /etc/apache2/conf/aaa.key

  ServerName aaa
</VirtualHost>

Listen 10.0.0.2:81
<VirtualHost 10.0.0.2:81>
  SSLEngine on
  SSLCertificateFile /etc/apache2/conf/bbb.crt
  SSLCertificateKeyFile /etc/apache2/conf/bbb.key

  ServerName aaa
</VirtualHost>



curl https://bbb:81

  SSL: certificate subject name 'aaa' does not match target host name 'bbb'


curl https://10.0.0.2:81

  SSL: certificate subject name 'aaa' does not match target host name
'10.0.0.2'

if i remove or change the ServerName directive so that they differ then it
works as expected and certificate bbb is returned. If i switch the order of
the virtual host configuration certificate bbb is also used if i query
10.0.0.1:81.


SNI finds the right name-based vhost based on the normal name-based
mechanisms (ServerName/ServerAlias), then uses the cert it finds there
-- it doesn't find the right vhost by looking at your certificates.
My problem ist that SNI breaks my in older apaches working configuration which looked like this: 

Listen 10.137.1.104:9901
<VirtualHost 10.137.1.104:9901>
  SSLEngine on
  SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt
  SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key
  Include conf/www.aaa.misc
</VirtualHost>

Listen 10.137.1.104:9902
<VirtualHost 10.137.1.104:9902>
  SSLEngine on
  SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt
  SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key
  Include conf/www.aaa.misc
</VirtualHost>

Listen 10.137.1.104:9903
NameVirtualHost 10.137.1.104:9903
<VirtualHost 10.137.1.104:9903>
  Include conf/www.aaa.misc
</VirtualHost>

www.aaa.misc:
ServerName www.aaa.de
ServerAlias www.aaa.at
In my opinion SNI misuses the ServerName/ServerAlias directives, because in the documentation it is clearly stated: "Unless a NameVirtualHost directive is used for the exact IP address and port pair in the VirtualHost directive, Apache selects the best match only on the basis of the IP address (or wildcard) and port number." (http://httpd.apache.org/docs/2.2/vhosts/details.html) and therefore it's a bug. 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to