Re: ModSSL - Knoppix 3.3
From: Peter H. Lemieux (phl_at_cyways.com)
Date: 03/16/04
- Previous message: Bernard, Cyrille: "Re: ModSSL - Knoppix 3.3"
- In reply to: Bernard, Cyrille: "ModSSL - Knoppix 3.3"
- Next in thread: Bernard, Cyrille: "RE: ModSSL - Knoppix 3.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Mar 2004 15:44:41 -0500 To: "Bernard, Cyrille" <Cyrille.Bernard@BEIJAFLORE.com>
Cyrille,
NameVirtualHosts and SSL don't mix. From the Apache docs at
http://httpd.apache.org/docs/vhosts/name-based.html
"Name-based virtual hosting cannot be used with SSL secure servers because
of the nature of the SSL protocol."
Each unique SSL host must be assigned to a unique address. I also don't try
to serve different content on ports 80 and 443 on the same IP. On an IP
where I have SSL configured, my Apache configuration for that IP usually
looks like this:
Assume www.mydomain.com = 192.168.3.7
<VirtualHost 192.168.3.7:80>
Redirect / https://www.mydomain.com/
</VirtualHost>
<VirtualHost 192.168.3.7:443>
SSLEngine On
etc.
</VirtualHost>
This automatically pushes an incorrect http request to the secure host over
onto the secure interface.
The only solution is to assign two IPs and two hostnames, like
www.domain.name and secure.domain.name, with insecure content on one
IP/hostname pair and secure content on the other.
Peter
Bernard, Cyrille wrote:
> hi everyone.
>
> it's not really a matter of security here. But i've some trouble with apache 1.3.29, mod_ssl/2.8.14 and OpenSSL/0.9.7b
>
> I use the knoppix 3.3 hd installation. It comes with all stuff.
> I create some server key & crt. And set up things in httpd.conf
>
> the main lines are :
> Port 80
>
> User www-data
> Group www-data
>
> ServerAdmin root@shuttlex
> ServerName shuttlex
> DocumentRoot /var/www
>
> [...]
>
> Listen 80
> Listen 443
>
> NameVirtualHost 192.168.1.1:443
> NameVirtualHost 192.168.1.1:80
>
> <VirtualHost 192.168.1.1>
> SSLEngine Off
> </VirtualHost>
>
> <VirtualHost 192.168.1.1:443>
> CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> TransferLog logs/ssl_access_log
> SSLEngine On
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/apache/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/apache/conf/ssl.key/server.key
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> <Directory "/usr/local/apache/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
> <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
> SSLOptions +StdEnvVars
> </Files>
>
> </VirtualHost>
>
> The problem is :
> - i can do http and https request from the local server (browser konqueror)
> - i can do http request but NOT https request with a remote client (browser IE)
> - i can do ssh remote and telnet request on port 443 from remote
> - i can do https request on some other ssl server (lan or internet)
>
> What i've done to test things :
> netstat -na looks ok
> tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
>
> let says my local ip is 192.168.1.1(apache server) and my remote is 192.168.1.2(client)
> when i telnet 443 the server from the client
> tcp 0 0 192.168.1.1:443 192.168.1.2:2396 ESTABLISHED
> when i use the browser with https, nothing happend
>
> there's no FW/ACL between client/server. I've try a direct connection too with a crossover cable.
> i've try some change with httpd.conf (not to use virtual host, but it's the same).
>
> - I dont have any trouble with other linux/apachesslinstallation
> - I dont see anything significative in the logs files
>
> So, is it me or is there a bug out there ?
>
> Sum up :
> from REMOTE : ssh ok, http ok, https NOK.
> from LOCAL http ok, https ok
>
> thx for help.
> cdt,
> Cyrille (FRANCE)
- Previous message: Bernard, Cyrille: "Re: ModSSL - Knoppix 3.3"
- In reply to: Bernard, Cyrille: "ModSSL - Knoppix 3.3"
- Next in thread: Bernard, Cyrille: "RE: ModSSL - Knoppix 3.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
