On Mon, May 23, 2016 at 5:31 PM, Eric Covener <cove...@gmail.com> wrote:
> On Mon, May 23, 2016 at 10:27 AM, linux.il <linux...@gmail.com> wrote: > > I'm using the same "curl" and "wget" for testing. As far as I disable > TLS > > v1.0, I get "curl: (35) SSL connect error" and > > "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match > > requested host name “my-vhost-name”" > > in wget. > > BTW, similar issue reported here > > > http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure > > Some context re: your vhost configuration and certificate names would > probably help here. > Sure, and thank you again. 1) httpd -S: *:443 is a NameVirtualHost default server example.co.uk (/etc/httpd/conf.d/25-example.co.uk-https.conf:6) port 443 namevhost example.co.uk (/etc/httpd/conf.d/25-example.co.uk-https.conf:6) alias www.example.co.uk port 443 namevhost example.com (/etc/httpd/conf.d/25-example.com-https.conf:6) alias www.example.com 2) example.co.uk vhost: SSLEngine on SSLCertificateFile "/etc/httpd/certs/uknew/example.co.uk.crt" SSLCertificateKeyFile "/etc/httpd/certs/uknew/example.co.uk.key" SSLCertificateChainFile "/etc/httpd/certs/uknew/uk_chained" SSLCACertificatePath "/etc/pki/tls/certs" SSLProtocol All -SSLv2 -SSLv3 -TLSv1 3) example.com vhost SSLEngine on SSLCertificateFile "/etc/httpd/certs/new/EXAMPLE.com.crt" SSLCertificateKeyFile "/etc/httpd/certs/new/server.key" SSLCertificateChainFile "/etc/httpd/certs/new/combundle.crt" SSLCACertificatePath "/etc/pki/tls/certs" SSLProtocol All -SSLv2 -SSLv3 -TLSv1 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 Issue: when default ssl vhost config includes "-TLSv1" we have: wget https://example.com --2016-05-23 17:40:29-- https://example.com/ Resolving example.com... x.x.x.x Connecting to example.com|x.x.x.x|:443... connected. ERROR: certificate common name “www.example.co.uk” doesn’t match requested host name “example.com”. To connect to example.com insecurely, use ‘--no-check-certificate’.
