Hi!
man httpd.conf says:
[tls option]
"Set the TLS configuration for the server."
I assumed that "the server" would mean that every (virtual) server can
have its own tls options (and certificates). Otherwise it would have
said "Set the TLS configuration for httpd and all virtual servers."
Is that wrong? Can I only have ONE key and ONE cert and the cert must be
a multi domain certificate?
I tried this:
############################################################
ext_addr="*"
prefork 3
server "domaina.com" {
alias "www.domaina.com"
listen on $ext_addr tls port 443
tls dhe "auto"
root "/htdocs/domaina"
}
server "domainb.com" {
alias "www.domainb.com"
listen on $ext_addr tls port 443
tls dhe "auto"
tls certificate "/etc/ssl/domainb.crt"
tls key "/etc/ssl/private/domainb.key"
root "/htdocs/domainb"
}
############################################################
You see in domaina.com there is no certificate specification. According
to the documentation the default values should be used. And they are. On
OpenBSD 5.7 I get the cert from the default files when I try to access
https://www.domaina.com
On OpenBSD5.7 I also get the certificate for domaina when I access
domainb.com, which results in a certificate error.
On OpenBSD5.8 it's the other way round: when accessing domainb the
browser reports the correct certificate. When accessing domaina I get
the certificate of domainb (and the corresponding cert error).
I started
httpd -d -vvvv
on OpenBSD5.7 to check the output and found that the messages
server_tls_load_keypair: using certificate /etc/ssl/cert.pem
server_tls_load_keypair: using private key /etc/ssl/private/server.key
only appear for those two files. So the httpd obviously does not read
the other certificates.
T.
