mod_gnutls: NameVirtualHost gets wrong Cert

Sebastien Decugis sdecugis at nict.go.jp
Wed Oct 15 10:59:39 CEST 2008 

Hello,

According to your configuration file, you are using two virtualhosts
with the same IP address and different names. It is impossible to use
https in this configuration. See
http://httpd.apache.org/docs/2.0/vhosts/name-based.html (second item)

In short, you need to negociate your SSL settings (therefore select the
correct certificate) even before the first request is sent, containing
the server name with which you want to communicate.

The usual workarounds are:
- use a different IP
- use a different port.

I hope this helps...
Sebastien.

Charley Collins a écrit :
> Hi
>
> Everything works fine, if I have only one virtual host.
> If I configure a second one and go with a browser to the first site, I
> come in trouble:
> On Firefox it works well. With IE7 the browser get the right site but
> the wrong certificate, this one of the second configured site! I t
> looks like the VirtualName service is not working in mod_gnutls.
>
> I hope someone can help me...
> Pleas check my configuration above:
>
> Linux Centos 5.2
> http: 2.2.3-11
> mod_gnutls: 0.2.0-1
> gnutls: 1.4.1-3
>
> I found only this old version for centos binary.
> I tried compiling the actual version from source, but it ends apache
> without any message or errormessage...
>
>
> Configuration
>
> mod_gnutls.conf:
>
> LoadModule gnutls_module modules/libmod_gnutls.so
> AddType application/x-x509-ca-cert .crt
> GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
> GnuTLSCacheTimeout 300
> Listen 195.2.228.126:443
> NameVirtualHost 195.2.228.126:443
> Include /etc/httpd/conf/sslvhosts/*.conf
>
> /etc/httpd/conf/sslvhosts/shop.moon-shop.com.conf: (Works fine, if
> only this file exists in sslvhosts)
>
> <VirtualHost 195.2.228.126:443>
>         ServerAdmin ###@#####.###     # anti spam
>         GnuTLSEnable on
>         GnuTLSCertificateFile /etc/httpd/ssl/shop.moon-shop.com.crt
>         GnuTLSKeyFile /etc/httpd/ssl/shop.moon-shop.com.key
>         #GnuTLSPriorities NORMAL
>         DocumentRoot /var/www/shop.moon-shop.com/htdocs/joomla
>         ServerName shop.moon-shop.com
>         DirectoryIndex index.php
>         ErrorLog /var/www/shop.moon-shop.com/log/ssl_error.log
>         CustomLog /var/www/shop.moon-shop.com/log/ssl_access.log common
>         AddType application/x-httpd-php .php
>         #php_admin_flag safe_mode On
>         php_admin_value file_uploads 1
>         php_admin_value upload_tmp_dir /var/www/shop.moon-shop.com/
> phptmp/
>         php_admin_value session.save_path /var/www/shop.moon-shop.com/
> phptmp/
>         AddType text/html .shtml
>         AddOutputFilter INCLUDES .shtml
> </VirtualHost>
>
> /etc/httpd/conf/sslvhosts/customer.moon-shop.com.conf: (cert of this
> conf will be deliered in shop if this file exists)
>
> <VirtualHost 195.2.228.126:443>
>         ServerAdmin ###@#####.###     # anti spam
>         GnuTLSEnable on
>         GnuTLSCertificateFile /etc/httpd/ssl/customer.moon-shop.com.crt
>         GnuTLSKeyFile /etc/httpd/ssl/customer.moon-shop.com.key
>         DocumentRoot /var/turbogears/turbotest
>         ServerName customer.moon-shop.com:443
>         ErrorLog /var/log/httpd/ssl_error-test.log
>         CustomLog /var/log/httpd/ssl_access-test.log common
> </VirtualHost>
>
> Thank you for your help
>
> Kind Regards
> Charley
>
>
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at gnu.org
> http://lists.gnu.org/mailman/listinfo/gnutls-devel
>

-- 
Sebastien Decugis
Research fellow
Network Architecture Group
NICT (nict.go.jp)

More information about the Gnutls-devel mailing list