As a quick hack, I setup the normal vhost to have a certificate 1 (it
has to have one defined to even start after all) then patch
set_ssl_vhost() to load a different "ctx" certificate 2. I would leak
context like crazy, but as a quick proof-of-concept it would tell me if
it is feasible.
strcasecmp(servername, "www.example.com")) {
SSL_CTX *ctx;
int status;
found = TRUE;
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "example patch:
loading");
ctx = SSL_CTX_new(SSLv23_method());
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "new ctx %p", ctx);
status = SSL_CTX_use_certificate_file(ctx,
"/etc/certs/www.example.com.pem",
X509_FILETYPE_PEM);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "loaded pem file %d",
status);
if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
return 0;
if (!(sc = mySrvConfig(s)))
return 0;
sc->server->ssl_ctx = ctx;
SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx);
SSL_CTX_set_app_data(ctx, s);
return 1;
}
The last few lines, I have tried a few combinations in my attempt to
make it work. I get the following output however:
[Tue Jan 29 12:23:38 2008] [error] Called set_ssl_vhost with
'www.example.jp'
[Tue Jan 29 12:23:38 2008] [error] example patch: loading
[Tue Jan 29 12:23:38 2008] [error] new ctx
[Tue Jan 29 12:23:38 2008] [error] loaded pem file 1
[Tue Jan 29 12:23:38 2008] [error] Re-negotiation handshake failed: Not
accepted by client!?
And Seamonkey says: "the site uses a security protocol that isn't enabled".
Am I trying to patch it in too late in the game?, has it already sent
part of the vhost certificate1 before the example.com certificate2?
If I create a vhost with example.com, and example.com.pem certificate2,
as well as the default vhost, both certificates work and loads
correctly. It is my hack that breaks things, I am not sure how much of
apache's framework I need to conform to.
Jorgen Lundman wrote:
What is the state with TLS/SNI at the moment? We are exploring offering
SSL certificates to users, and in a perfect world we would like to keep
our httpd.conf free of provisioning.
Apache 2.2.0
OpenSSL-0.9.8e
At the moment, all users' vhosts are defined as:
<VirtualHost *:80>
VirtualDocumentRoot "/export/nfs/www/%-1/%-2.-1/%-2.-2/%-2+/"
So a request for http://www.example.com/$path would translate as
/export/nfs/www/com/e/l/www.example/$path
If that directory exists it is served.
What would be ideal is if a user had a certificate as:
/export/nfs/www/com/e/l/www.example/.certificate
Then SSL TLS/SNI would use it and "everything would just work".
(Minus Safari, and Konquerer from our current tests)
Possible right now ? Possible if I add a little code?
Lundy
--
Jorgen Lundman | <[EMAIL PROTECTED]>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
