Results 1 to 3 of 3

Thread: SSL Certificates Problem

  1. #1
    Junior Member
    Join Date
    Feb 2004
    Location
    Greece
    Posts
    16

    Angry SSL Certificates Problem

    Hello there,
    I make 2 different ssl certificates with openssl for apache web server using these commands:
    openssl genrsa -des3 -out ca.key 1024
    openssl req -new -x509 -days 10000 -key ca.key -out ca.crt
    and removing passphrase with openssl -rsa -in ca.key -out ca.key

    With this, I made 2 certificates one for www.domain.com and another for mail.domain.com

    I putted in httpd.conf with a syntax like that:

    <VirtualHost ip:443>
    DocumentRoot "/path/"
    ServerName mail.domain.com
    ServerAdmin chris@domain.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /etc/httpd/newssl/ca.crt *
    SSLCertificateKeyFile /etc/httpd/newssl/ca.key *
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    </VirtualHost>
    * = the host www.domain.com is another files named wwwca.key/crt not the sames ofcourse

    And I have this problem
    It workss just fine but either www.domain.com and mail.domain.com uses the mail.domain.com SSL Certificate. The problem: It cause warning messages when trying to reach https://www.domain.com saying that the crt is for mail.domain.com

    Any solutions ?
    Everyone gets away with something. No one gets away with everything...

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    As far as I know, the SSL handshake occurs before the HTTP1.1
    request resolves for the name-based virtual host directory.

    Hence, Name-based virtual hosting cannot be used with SSL secure servers
    because of that very nature of the SSL protocol[1].
    I assume that the warning is for www.domain.com because (I guess)
    a nslookup for your IP will return mail.domain.com.


    The only way out I see is to switch to IP-based virtual hosts, which
    might not be easily available.

    /edit: quite a good read has been done by Robert Colbey[2].
    /edit2:

    excellent - I've stumpled across an answer[3], which is almost identical
    to mine. However, two more suggestions are given:
    2. Obtained a wildcard certificate in the form of "*.domain.com"
    3. Use a different Port for each Name-Based Virtual Host
    2. could work for you,
    3. I guess not (if both are assumed to use port 80)

    Cheers



    [1] http://httpd.apache.org/docs/vhosts/name-based.html
    [2] http://www.giac.org/practical/GSEC/R...olbey_GSEC.pdf
    [3] http://www.experts-exchange.com/Web/..._21054725.html
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Absolutely right you must use IP based vrtual hosts. It's the only way I ever got it to work. That was such a pain in the ass. SSL can kiss my ass. I hate that 2 weeks, wasted learning that.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •