I'm trying to configure multiple named virtual hosts with SSL using SNI.
I believe that I'm running the latest versions of the software, and that
SNI is built into it (as the first line apparently demonstrates):
[Tue Jun 08 05:19:42 2010] [warn]
Init: Name-based SSL virtual hosts only work for clients
with TLS server name indication support (RFC 4366)
[Tue Jun 08 05:19:42 2010] [info]
mod_ssl/2.2.14 compiled against
Server: Apache/2.2.14,
Library: OpenSSL/0.9.8k
[Tue Jun 08 05:19:42 2010] [notice]
Apache/2.2.14 (Ubuntu)
mod_ssl/2.2.14
OpenSSL/0.9.8k
mod_perl/2.0.4
Perl/v5.10.1
configured -- resuming normal operations
The following doesn't work right:
<VirtualHost *:80 *:443>
ServerName host.alpha.tld
DocumentRoot /var/www/htdocs/alpha
SSLEngine on
SSLCertificateFile ${WEB_CERT}/star.alpha.crt
SSLCertificateKeyFile ${WEB_CERT}/star.alpha.key
SSLProtocol all -SSLv2
...
</VirtualHost>
<VirtualHost *:80 *:443>
ServerName host.bravo.tld
DocumentRoot /var/www/htdocs/bravo
SSLEngine on
SSLCertificateFile ${WEB_CERT}/star.bravo.crt
SSLCertificateKeyFile ${WEB_CERT}/star.bravo.key
SSLProtocol all -SSLv2
...
</VirtualHost>
It's kind of odd. The HTTPS site will connect just fine. The HTTP site
just returns my custom error page. None of my trace statements in the
mod_perl handler fire for the original page, just for the error page.
So mod_perl isn't seeing it, whatever is happening is in the Apache core.
In addition, I get this:
[Tue Jun 08 17:30:24 2010] [info]
[client ###.###.###.###] Connection to child 5 established
(server test.alpha.org:443)
[Tue Jun 08 17:30:24 2010] [info]
Seeding PRNG with 648 bytes of entropy
[Tue Jun 08 17:30:24 2010] [info]
[client 97.126.76.90] SSL handshake failed:
HTTP spoken on HTTPS port; trying to send HTML error page
[Tue Jun 08 17:30:24 2010] [info]
SSL Library Error: 336027804
error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:
http request speaking HTTP to HTTPS port!?
which suggests that I'm connecting on port 443 using HTTP which failed.
But I'm not, I'm going to the HTTP site which should be on port 80.
I've tried this using Firefox 3.6, wget, and telnet to port 80. It all
happens the same way. So it isn't the client side, it's definitely in
the server (or its configuration).
When I turn SSLEngine from 'on' to 'optional' the HTTP site works and the
HTTPS site fails with message:
SSL received a record that exceeded the maximum permissible length.
(not my custom error page). In the Apache 2.2 documentation for mod_ssl
is stated:
enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1.
At this time no web browsers support RFC 2817.
A little online searching suggests that Firefox does not. I didn't
keep searching after that.
OK, after some trial and error, here's something that WORKS:
<VirtualHost *:80>
ServerName host.alpha.tld:80
DocumentRoot /var/www/htdocs/alpha
...
</VirtualHost>
<VirtualHost *:443>
ServerName host.alpha.tld:443
DocumentRoot /var/www/htdocs/alpha
SSLEngine on
SSLCertificateFile ${WEB_CERT}/star.alpha.crt
SSLCertificateKeyFile ${WEB_CERT}/star.alpha.key
SSLProtocol all -SSLv2
...
</VirtualHost>
Note that these are both the FIRST virtual host, with separate ports,
so there would be two more virtual host blocks. In each case this means
duplication of the contents of the original virtual host so that there
are two nearly identical ones, which is unpleasant for maintenance.
I can't help thinking that what I want to do is not so weird and that
it should work. Therefore I think I'm looking for some magic cookie
for the configuration file.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
