Lim Fung wrote:
> I'm not sure if anyone has encountered the same problem as I do - was
> configuring Apache 1.2.6 + SSLeay 0.8.0 (patched using ssl_1.16) to
> perform virtual hosting for https but apparently the browser didn't report
> that the correct certificate was used when different virtual domains was
> browsed.
> Apache-ssl appears to have read in the cert, but when Netscape
> Communicator is used to view the website, the wrong cert (the one
> specified in global config) was used.
> Any suggestions would be appreciated.
I got my Apache-SSL working great with multiple certs. :-) Although there
are a couple of things you need to do.
First the SSL spec. requires one IP number per (domain and hence cert),
regardless of whether or not you use HTTP 1.1 or not. I believe this is
due to the fact that the domain is encoded within the cert, so that an
HTTPS request from a client, which encodes the HTTP header directives
including the host header, reaches a server which is unable to determine
which domain to use, and hence is unable to determine which cert to use.
I heard that a newer HTTPS (SSL) spec is in the works that will have put
an additional unencoded host header directive, so that multiple certs can
be used on the same IP. (But I don't know of any servers or browsers that
support this.)
Second in the version of Apache-SSL I am using, there is this strange bug
in which you have to declare the HTTPS (SSL) virtual hosts before you
declare your HTTP (non-SSL) virtual hosts.
Below is a sample virtual domain excerpt from my old "httpd.conf". It is
used by apache-ssl to host two certs, and four second level domains. IP
based virtual hosting is used for the two cert domains, and non-ip (domain
name) based virtual hosting (via HTTP 1.1 spec.) is used for the other two
non cert second level domains.
I hope this helps. Sincerely, Alicia.
Don't forget to configure your DNS and route the proper IPs on your web
server to get this to work.
-----CUT HTTPD.CONF EXCERPT BELOW--------------------------------------
Port 80
Listen 80
Listen 443
SSLDisable
ServerName spinner.dolphin.wiznet.ca
DocumentRoot /home/web/www
<VirtualHost 192.168.0.11:443>
ServerName ecash.2001.ca
DocumentRoot /home/web/www/2001
ServerPath /2001
SSLCertificateKeyFile /opt/ssl/private/ecash.2001.ca.key
SSLCertificateFile /opt/ssl/certs/ecash.2001.ca.cert
SSLFakeBasicAuth
SSLVerifyDepth 10
SSLVerifyClient 0
SSLLogFile /home/web/logs/ssl_cipher_log
</VirtualHost>
<VirtualHost 192.168.0.12:443>
ServerName secure.cyberstation.ca
DocumentRoot /home/web/www/cyberstation
ServerPath /cyberstation
SSLCertificateKeyFile /opt/ssl/private/secure.cyberstation.ca.key
SSLCertificateFile /opt/ssl/certs/secure.cyberstation.ca.cert
SSLFakeBasicAuth
SSLVerifyDepth 10
SSLVerifyClient 0
SSLLogFile /home/web/logs/ssl_cipher_log
</VirtualHost>
<VirtualHost 192.168.0.11:80>
ServerName www.2001.ca
ServerAlias ecash.2001.ca 2001.ca
DocumentRoot /home/web/www/2001
ServerPath /2001
SSLDisable
</VirtualHost>
<VirtualHost 192.168.0.12:80>
ServerName www.cyberstation.ca
ServerAlias secure.cyberstation.ca cyberstation.ca
DocumentRoot /home/web/www/cyberstation
ServerPath /cyberstation
SSLDisable
</VirtualHost>
<VirtualHost www.mailengine.com:80>
ServerName www.mailengine.com
ServerAlias mailengine.com
DocumentRoot /home/web/www/mailengine
ServerPath /mailengine
SSLDisable
</VirtualHost>
<VirtualHost www.webengine.com:80>
ServerName www.webengine.com
ServerAlias webengine.com
DocumentRoot /home/web/www/webengine
ServerPath /webengine
SSLDisable
</VirtualHost>
begin: vcard
fn: Alicia da Conceicao
n: da Conceicao;Alicia
org: Cyberstation Inc.
adr: 121 Richmond Street West, Suite 1104;;;Toronto;Ontario;M5H-2G4;Canada
email;internet: alicia@cyberstation.ca
title: VP of Technology
tel;work: 416-860-9378
tel;fax: 416-860-9380
x-mozilla-cpt: ;0
x-mozilla-html: TRUE
version: 2.1
end: vcard