AW: Re: [Linux-Biella] Https con VirtualHost

Mattia Rossi linux@bilug.linux.it
Tue, 3 Jun 2003 12:54:19 +0200

Previous message: [Linux-Biella] conf modem
Next message: AW: Re: [Linux-Biella] Https con VirtualHost
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 26 May 2003 14:06 +0200
Luca Bertoncello <lucabert@lucabert.de> wrote:

> Alessio Re <alessio.re@meteonetwork.it> schrieb:
> 
> > Ecco, ho fatto la prova e... va anche a me. Apache e' cosi' potente che fa 
> > anche le cose che si dice non possa fare! :-D Scherzi a parte, andrebbe 
> > segnalata la svista nei docs...
> 
> Gia'... Il problema e' che, pur funzionando, la chiave spedita al client e' sempre la stessa...
> 
> Come mai? Eppure, nel VirtualHost, ho messo due files diversi per le due configurazioni...
> 


Prima mail su questa ML (di cui sono venuto a conoscenza tranite LeOS), quindi colgo l'occasione per salutare tutti quanti.

La risposta arriva un po' tardi perche' mi sono dovuto documentare.

Con apache (e con tutti gli altri web server) non e' possibile fare name based virtual hosting se si vuole avere certificati diversi per ogni virtual host.

E' possibile, invece, redirigere richieste in base ai nomi su URL/porte diverse, come indicato nei post precedenti. 

Il problema viene spiegato (non esaustivamente) in questo thread che ho trovato su google:

----------------------------------------

>it's the other way around, apache (and other webservers as well) doesn't
>support name-based virtual hosting due to an already often cited chicken
>& egg problem:
>
>the ssl engine needs to present a server certificate which fits to the
>servername of a specific vhost to the client very early in the
>ssl-handshake. with name-based vhosts the decision which vhost a
>particular request goes to can obviously be taken only a lot later, when
>the ssl-handshake has completed and the request including the Host:
>header has been read.
>
>what the op could do is have a name-based vhosts for the various non-ssl
>sites and have one ssl-vhost (he only wanted one in his list) of the
>form <VirtualHost ip-address:443> which would be accessible under all
>his vhosts servernames on port 443 but only have a certificate fitting
>for the correct one. if one wants to limit users to user the correct
>hostname to access the content, one could use rewrite-conds to do this.
>
>please note that the given solution refers to what's possible with
>mod_ssl, it might or might not work with apache-ssl, so please forgive
>me when i'm proven wrong...
I have found that it doesn't matter what server name is in the certificate.
What is important is that ALL virtual servers sharing the same IP address and
port will get the same certificate.  Therefore, if the use of the certificate is
only to keep out network sniffers and such, it will work.  However, any vhost
sharing the certificate will NOT be secure with respect to any other vhost
sharing that same certificate.
I know this because it doesn't seem to matter whether or not I have accessed my
server via its canonical name or one of its DNS aliases - the SSL layer will use
the same certificate regardless (for the same IP:port combination).
---------------------------------------


Mattia

Previous message: [Linux-Biella] conf modem
Next message: AW: Re: [Linux-Biella] Https con VirtualHost
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]