-
December 17th, 2004, 12:06 AM
#1
Junior Member
SSL Certificates Problem
Hello there,
I make 2 different ssl certificates with openssl for apache web server using these commands:
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 10000 -key ca.key -out ca.crt
and removing passphrase with openssl -rsa -in ca.key -out ca.key
With this, I made 2 certificates one for www.domain.com and another for mail.domain.com
I putted in httpd.conf with a syntax like that:
<VirtualHost ip:443>
DocumentRoot "/path/"
ServerName mail.domain.com
ServerAdmin chris@domain.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/newssl/ca.crt *
SSLCertificateKeyFile /etc/httpd/newssl/ca.key *
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
* = the host www.domain.com is another files named wwwca.key/crt not the sames ofcourse
And I have this problem
It workss just fine but either www.domain.com and mail.domain.com uses the mail.domain.com SSL Certificate. The problem: It cause warning messages when trying to reach https://www.domain.com saying that the crt is for mail.domain.com
Any solutions ?
Everyone gets away with something. No one gets away with everything...
-
December 17th, 2004, 09:52 AM
#2
Hi
As far as I know, the SSL handshake occurs before the HTTP1.1
request resolves for the name-based virtual host directory.
Hence, Name-based virtual hosting cannot be used with SSL secure servers
because of that very nature of the SSL protocol[1].
I assume that the warning is for www.domain.com because (I guess)
a nslookup for your IP will return mail.domain.com.
The only way out I see is to switch to IP-based virtual hosts, which
might not be easily available.
/edit: quite a good read has been done by Robert Colbey[2].
/edit2:
excellent - I've stumpled across an answer[3], which is almost identical
to mine. However, two more suggestions are given:
2. Obtained a wildcard certificate in the form of "*.domain.com"
3. Use a different Port for each Name-Based Virtual Host
2. could work for you,
3. I guess not (if both are assumed to use port 80)
Cheers
[1] http://httpd.apache.org/docs/vhosts/name-based.html
[2] http://www.giac.org/practical/GSEC/R...olbey_GSEC.pdf
[3] http://www.experts-exchange.com/Web/..._21054725.html
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
December 18th, 2004, 07:48 AM
#3
Absolutely right you must use IP based vrtual hosts. It's the only way I ever got it to work. That was such a pain in the ass. SSL can kiss my ass. I hate that 2 weeks, wasted learning that.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|