LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   SSL Name Based Virtual Hosts Apache with SNI enabled not working as expected (https://www.linuxquestions.org/questions/linux-server-73/ssl-name-based-virtual-hosts-apache-with-sni-enabled-not-working-as-expected-944385/)

j.smith1981 05-11-2012 06:24 AM
SSL Name Based Virtual Hosts Apache with SNI enabled not working as expected
 
I was asking about if it would be possible to use different security certs on 2 different virtual hosts based on their name, they both work on the same IP address 192.168.0.1 for example.

I was told the option named 'SSLStrictSNIVHostCheck' could be set to off to allow for this to work after reading:
I looked at this site:
http://en.wikipedia.org/wiki/Server_Name_Indication

Which explains that my version of apache which is:
Quote:
[me@myserver ~]$ rpm -q httpd
httpd-2.2.15-15.el6.centos.1.x86_64
Which should work right?

This config here is what I have setup for SSL:
Quote:
LoadModule ssl_module modules/mod_ssl.so

Listen 443

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default


SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512


SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

NameVirtualHost *:443


SSLStrictSNIVHostCheck off

<VirtualHost *:443>

DocumentRoot "/www/myhost1.co.uk/html"
ServerName www.myhost1.co.uk:443



ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

SSLEngine on

SSLProtocol all TLSv1 -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/pki/tls/certs/www.myhost1.co.uk.crt

SSLCertificateKeyFile /etc/pki/tls/private/www.myhost1.co.uk.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0




CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost *:443>

DocumentRoot "/www/myhost2.co.uk/html"
ServerName www.myhost2.me.uk:443



ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/pki/tls/certs/www.myhost2.me.uk.crt

SSLCertificateKeyFile /etc/pki/tls/private/www.myhost2.me.uk.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0




CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
I have not changed my original configs which where posted here:
http://www.linuxquestions.org/questi...6/#post4590891 my none ssl based sites.

The problem actually is that when I go to say host www.myhost2.me.uk I get www.myhost1.co.uk's cert.

And I of course get www.myhost1.co.uk's cert when I go to the www.myhost1.co.uk site if that makes any sense?

Have I setup SSL with SNI option correctly?

Any replies are much appreciated as usual!

bathory 05-11-2012 07:10 AM
Hi,

Try to use plain:
Code:
ServerName www.myhost1.co.uk
...
ServerName www.myhost2.me.uk
Regards

j.smith1981 05-11-2012 08:47 AM
Just without the virtualhost tags so omit those you mean?

Thanks for your speedy reply,
Jez

bathory 05-11-2012 09:06 AM
No, inside each of the 2 <VirtualHost ..> containers leave the ServerName without the trailing ":443"

TenTenths 05-11-2012 09:10 AM
Depending on what you have in mind you may be better off with a multi-domain certificate for the IP address instead, SNI does rely on the client browser being SNI aware/compatible so you might want to take a look at wikipedia to see if you'll run in to problems with your desired audience.

j.smith1981 05-16-2012 11:11 AM
Oh yes of course, I can't imagine right now anyone really using my webmail access which is what I wanted to use it for it's really just for me and my mailadmin being able to add alias users to mailboxes and things like that I use it for but my own personal use.

All the browsers I do use are compatible with this config, but if that should change then I will reassess my needs, thanks for the info though makes perfect sense I will mark this as solved though as it's completed what I wanted to achieve and many thanks for your advice it's much appreciated!

Thanks again,
Jez.


All times are GMT -5. The time now is 06:49 PM.