[clue-tech] apache2 ssl with virtual hosts

Jim Ockers ockers at ockers.net
Thu Mar 16 22:24:27 MST 2006 

Hi Mike,

The SSL key negotiation and certificate verification happens before
the HTTP headers are sent.

The client's connection to the web server's IP address on port 443
initiates the SSL transaction, part of which is the server's certificate
presentation.  The certificate contains the common name (CN) of the
site.

Since there is typically a unique CN for each web site then there has 
to be one IP address per website.  If you could make certificates
which include a wildcard (i.e., *.domain.com) then you could have
multiple SSL websites (server1.domain.com, server2.domain.com, and
so forth) which share the same IP address.

Even better would be a certificate issued to * (a single wildcard)
because then any web site name would match.

Obviously you will never get any self respecting commercial cert-
ificate authority (CA) to sign a certificate with a CN of *.  However
if you make your own CA then you can issue and sign certificates
however you like.  Heck for a low low fee I'll sign certificates
with wildcards in them using my CA.  :)

I'm not sure if this is what the original poster was trying to do...

The multiple-web-sites on one IP address is handled with the HTTP
1.1 Host header:

GET / HTTP/1.1
Host: www.website.com

The client (web browser) presents the Host: header to the server,
which tells the server what website to return to the client.  As
I say the SSL negotiation happens before any HTTP traffic.

Hope this helps,
Jim (top posting on purpose)

--
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/

Mike Staver wrote:
> 
> >> So are you saying that you're able to serve virtual hosts with one IP
> >> using SSL with mod_rewrite? I didn't think that was possible since the
> >> http header was encrypted and that header is necessary to do virtual
> >> hosting. If that's not true I'd *love* to know how you did it since I
> >> could save myself a few bucks and get rid of some additional static IPs.
> > 
> > Yeah THAT'S not possible.
> > My problem was I set up http and https for domain1.com, but 
> > https://domain2.com was bringing up the site for https://domain1.com
> > 
> > Why we can't just have SSL layer based on the IP instead of the domain 
> > name (like SSH does), I don't know.
> 
> I think I have done what you're suggesting before - are you simply 
> trying to use one public IP address for 2 SSL cert based domain names? I 
> have done that before I think - I could be wrong, I honestly can't 
> remember how I did it a few years ago, but I may have had 2 IPs pointed 
> at one box. Would this work?
> 
> <VirtualHost *:443>
> ServerName domain1.com:443
> SSLCertificateFile /etc/httpd/conf/ssl.crt/domain1.com.crt
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/ssl.crt/domain1.com.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain1.com.key
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>      SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
>      SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
>           nokeepalive ssl-unclean-shutdown \
>           downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
>            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
> 
> 
> <VirtualHost *:443>
> ServerName domain2.com:443
> SSLCertificateFile /etc/httpd/conf/ssl.crt/domain2.com.crt
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/ssl.crt/domain2.com.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain2.com.key
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>      SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
>      SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
>           nokeepalive ssl-unclean-shutdown \
>           downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
>            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
> 
> If that didn't work, maybe change the virtualhost lines to:
> 
> <VirtualHost domain1.com:443>
> <VirtualHost domain2.com:443>
> -- 
> 
>                                  -Mike Staver
>                                   staver at fimble.com
>                                   mstaver at globaltaxnetwork.com
> _______________________________________________
> CLUE-tech mailing list
> CLUE-tech at cluedenver.org
> http://cluedenver.org/mailman/listinfo/clue-tech
> 
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech

More information about the clue-tech mailing list