LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 11-29-2004, 05:45 AM   #1
petterg
LQ Newbie
 
Registered: Nov 2004
Location: Oslo, Norway
Distribution: Gentoo
Posts: 8

Rep: Reputation: 0
Multidomain virtualhosting with ssl


Some say this is not possible, so I need some help to figure out how to do it.

I have one server, one ip-adress, two domains.

Services running fine is: smtp, imap, pop, http.
Services with problems is: smtp using tls, imap-ssl, pop-ssl, https.
Software used: qmail/vpopmail, courier-imap, apache.

How can I make the ssl services run without getting the "name on certificate does not match domain name" warning?

I see three ways to go, but don't know how to do any of them:
1) Have two certificates. Make the services figure out which certificate to use, based on domain name in requested url.

2) Have two certificates, use one port for each domain. Make use of iptables to route traffic to the correct port based on domain-name. Ex: have apache run https://domain1.com on port 441, and https://domain2.com on port 442. Then iptables routes incoming packets on port 443 to either 441 or 442 depending on which domain is requested.

3) Have a certificate that is valid for both domains.

Is there any hope to solve this problem?

-pg
(my first post at linuxquestions.org)
 
Old 11-29-2004, 07:41 AM   #2
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
1) This is not possible. the connection is set up and the cert accepted by the client before Apache sees the Host: header to know what the domain is. Using just Apache, it's impossible to host >1 SSL site on a single IP/Port. The same thing applies to all the other SSL services on the box

2) This would work. My employer uses layer 3/4 load balancers that do this very thing.

3) You only get one CN per cert

HTH
 
Old 11-29-2004, 08:01 AM   #3
petterg
LQ Newbie
 
Registered: Nov 2004
Location: Oslo, Norway
Distribution: Gentoo
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by sigsegv
2) This would work. My employer uses layer 3/4 load balancers that do this very thing.
Thanks for reply.

Now the question is how? I'm quite nb at this stuff. I know how to set extra v.hosts in apache, but have no clue how to do the iptables part.

Also I have no clue how to set up smtp service on more than one port with qmail.
 
Old 12-01-2004, 06:57 AM   #4
petterg
LQ Newbie
 
Registered: Nov 2004
Location: Oslo, Norway
Distribution: Gentoo
Posts: 8

Original Poster
Rep: Reputation: 0
Nobody who knows how to do the ip-tables part?
 
Old 12-01-2004, 07:58 AM   #5
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
Re: Multidomain virtualhosting with ssl

After reading this again -- I answered incorrectly the first time. The first time around I inferred that you have more than one IP address. Now that I have read it a little slower, I see that this is not the case (sorry about getting your hopes up)

The problem you have is this. When the client (browser) wants to talk to the SSL server, it goes through the following steps.

1) Perform a hostname lookup
2) Open a connection to host:port (normally hostname:443)
This is where the problem is ...
3) The server sends the client it's SSL cert and the client verifies that it matches the hostname it connected to and if allowed to --
4) the normal HTTP/1.0 conversation happens

The problem is, you need to divert traffic at step 2, but the client never gives you any information about where it's trying to get to until step 4 (and not all browsers pass the Host: header on 1.0 requests anyway), and at step 4 it's encrypted, so you can't see it anyway. The same thing applies to all SSL services unfortunately

You are a victim of the "chicken and egg" SSL problem. There's no way to fix it without multiple IP's short of sharing a CN between both service instances.

Last edited by sigsegv; 12-01-2004 at 07:59 AM.
 
Old 12-01-2004, 08:56 AM   #6
kees-jan
Member
 
Registered: Sep 2004
Distribution: Debian, Ubuntu, BeatrIX, OpenWRT
Posts: 273

Rep: Reputation: 30
But if you have two ip addresses, won't it be able to get 1) to work by running two apaches, imaps etc... (on different ports, using different configurations, suitable for the different domains), and then use iptables to do port forwarding depending on the destination ip?

Groetjes,

Kees-Jan
 
Old 12-01-2004, 10:18 AM   #7
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
Quote:
Originally posted by kees-jan
But if you have two ip addresses, won't it be able to get 1) to work by running two apaches, imaps etc... (on different ports, using different configurations, suitable for the different domains), and then use iptables to do port forwarding depending on the destination ip?
It's simpler than that. If you have more than one IP, you bind the second IP to eth0:0 (or whatever) and tell the services to the different configs to the different IPs. No need for port manipulation at that point.
 
Old 12-02-2004, 04:40 AM   #8
petterg
LQ Newbie
 
Registered: Nov 2004
Location: Oslo, Norway
Distribution: Gentoo
Posts: 8

Original Poster
Rep: Reputation: 0
so there is actually no way to host more than one virtual ssl host on one iport?
 
Old 12-02-2004, 04:55 AM   #9
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
I had the same issue with apache, vhosts, and ssl. I found this thread on the Gentoo forums. The suggestions is to use mod_rewrite and totally do away with the whole vhosts system in apache. It works great and I can use the same ssl certificate on all my sites. They are self signed of course but they do the job.
 
Old 12-02-2004, 06:24 AM   #10
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
Quote:
Originally posted by Crashed_Again
I had the same issue with apache, vhosts, and ssl. I found this thread on the Gentoo forums. The suggestions is to use mod_rewrite and totally do away with the whole vhosts system in apache. It works great and I can use the same ssl certificate on all my sites. They are self signed of course but they do the job.
This works fine if you don't mind security warnings about the certs not matching, but the first post asks:

Quote:
How can I make the ssl services run without getting the "name on certificate does not match domain name" warning?
so your solution doesn't apply really. Also, smtp, imap and pop servers don't generally come with mod_rewrite

As to the content of the linked thread -- Generally speaking, people who "don't like the vhost system that comes with apache" probably don't understand how to use it correctly. The vhost system in Apache is fine, and the mod_rewrite "solution" is basically the same thing, though much more expensive on the server... And it still doesn't solve the chicken and egg SSL problem (splooge's doesn't anyway, RedDawn's doesn't address the problem).

Not shooting the messenger, just saying

Last edited by sigsegv; 12-02-2004 at 06:26 AM.
 
Old 12-02-2004, 01:04 PM   #11
petterg
LQ Newbie
 
Registered: Nov 2004
Location: Oslo, Norway
Distribution: Gentoo
Posts: 8

Original Poster
Rep: Reputation: 0
I use to say that everything is posible with linux - just need to figure out how to do it... For once it looks like this theory is falling apart.

Must be some smart guy out there who has figured out a way to do this?
 
Old 12-02-2004, 01:20 PM   #12
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 47
I'm not claiming to be the smartest guy in the world, but this is fairly simple once you understand how SSL works (which is not a complex process).

1) Client opens socket to server
2) Server hands back SSL cert to start SSL connection
3) Client verifies CN (Common Name) matches the domain it's requesting
4) Application communication (POP3, IMAP, HTTP or whatever) to server begins

It's a simple problem. The SSL cert gets handed to the client at 2, and you need to be able to tell the server what host you want to talk to before that, but ... *you can't*. There is no way around this. It's just not possible (regardless of intelligence )
 
Old 12-06-2004, 05:44 AM   #13
petterg
LQ Newbie
 
Registered: Nov 2004
Location: Oslo, Norway
Distribution: Gentoo
Posts: 8

Original Poster
Rep: Reputation: 0
ouch!
Why is everyone so pessimistic about this?

I give up... stupid warning message
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsFTPd - SSL connection and dynamic SSL ports toxoplasme Linux - Server 11 08-22-2008 10:50 PM
apache2 - ssl : connection via ssl interrupted ldp Linux - Software 0 10-02-2005 09:07 AM
Squid and virtualhosting lil_drummaboy Linux - Networking 0 01-30-2005 04:16 AM
ftp problems after change to virtualhosting dsiguy Linux - General 0 03-10-2003 06:24 PM
multidomain for sendmail cheeyee Linux - Networking 1 10-21-2002 01:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration