Apache SSL

depam · 03-01-2007, 07:08 PM

twantrd,

I have successfully configured VirtualHost. Now, when I typein www.company1.com on my browser I get to see the www.company1.com's DocumentRoot. And the same thing happened on www.company2.com. Now, my problem is that it seems that the two websites still shares the same certificate. How can I configure the server to use different certs on each site? Here's my ssl.conf. Hope you can tell me if this is secure enough. I also notice that https is really slow compared to the traditional http. Maybe because of the encryption which makes it really slow. I also heard from Steve Gibson that it is possible to generate a certificate for each client to be installed on his' browser just for him to access the site. Have you tried this before and how were you able to do this? Thanks and hope you can help me out.

LoadModule ssl_module modules/mod_ssl.so

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin

SSLSessionCache dbm:/var/cache/mod_ssl/scache
SSLSessionCacheTimeout 300

SSLMutex file:logs/ssl_mutex

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

NameVirtualHost *:443
<VirtualHost *:443>

DocumentRoot "/var/www/company1"
ServerName www.company1.com
ServerAdmin admin@company1.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/httpd/conf/ssl.crt/honda.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/honda.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

<VirtualHost *:443>

DocumentRoot "/var/www/company2"
ServerName www.company2.com
ServerAdmin admin@company2.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/iadi.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/iadi.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

twantrd · 03-02-2007, 12:06 PM

I believe you'll need a seperate IP address per SSL cert. Therefore, you need to start binding some alias ip's and declare those ip's in your vhosts. Give that a shot.

Reading some docs on the web, it appears that you need to do this because SSL negotiation happens before the actual HTTP request and so the hostname is not available during SSL negotiation.

-twantrd