[SOLVED] SSL Name Based Virtual Hosts Apache with SNI enabled not working as expected

j.smith1981 · 05-11-2012, 06:24 AM

I was asking about if it would be possible to use different security certs on 2 different virtual hosts based on their name, they both work on the same IP address 192.168.0.1 for example.

I was told the option named 'SSLStrictSNIVHostCheck' could be set to off to allow for this to work after reading:

Quote:

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

I looked at this site:
http://en.wikipedia.org/wiki/Server_Name_Indication

Which explains that my version of apache which is:

Quote:

[me@myserver ~]$ rpm -q httpd
httpd-2.2.15-15.el6.centos.1.x86_64

Which should work right?

This config here is what I have setup for SSL:

Quote:

LoadModule ssl_module modules/mod_ssl.so

Listen 443

SSLPassPhraseDialog builtin

SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>

DocumentRoot "/www/myhost1.co.uk/html"
ServerName www.myhost1.co.uk:443

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

SSLEngine on

SSLProtocol all TLSv1 -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/pki/tls/certs/www.myhost1.co.uk.crt

SSLCertificateKeyFile /etc/pki/tls/private/www.myhost1.co.uk.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost *:443>

DocumentRoot "/www/myhost2.co.uk/html"
ServerName www.myhost2.me.uk:443

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLCertificateFile /etc/pki/tls/certs/www.myhost2.me.uk.crt

SSLCertificateKeyFile /etc/pki/tls/private/www.myhost2.me.uk.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

I have not changed my original configs which where posted here:
http://www.linuxquestions.org/questi...6/#post4590891 my none ssl based sites.

The problem actually is that when I go to say host www.myhost2.me.uk I get www.myhost1.co.uk's cert.

And I of course get www.myhost1.co.uk's cert when I go to the www.myhost1.co.uk site if that makes any sense?

Have I setup SSL with SNI option correctly?

Any replies are much appreciated as usual!

bathory · 05-11-2012, 07:10 AM

Hi,

Try to use plain:

Code:

ServerName www.myhost1.co.uk
...
ServerName www.myhost2.me.uk

Regards

j.smith1981 · 05-11-2012, 08:47 AM

Just without the virtualhost tags so omit those you mean?

Thanks for your speedy reply,
Jez

bathory · 05-11-2012, 09:06 AM

No, inside each of the 2 <VirtualHost ..> containers leave the ServerName without the trailing ":443"

TenTenths · 05-11-2012, 09:10 AM

Depending on what you have in mind you may be better off with a multi-domain certificate for the IP address instead, SNI does rely on the client browser being SNI aware/compatible so you might want to take a look at wikipedia to see if you'll run in to problems with your desired audience.

j.smith1981 · 05-16-2012, 11:11 AM

Oh yes of course, I can't imagine right now anyone really using my webmail access which is what I wanted to use it for it's really just for me and my mailadmin being able to add alias users to mailboxes and things like that I use it for but my own personal use.

All the browsers I do use are compatible with this config, but if that should change then I will reassess my needs, thanks for the info though makes perfect sense I will mark this as solved though as it's completed what I wanted to achieve and many thanks for your advice it's much appreciated!

Thanks again,
Jez.