Apache 2.2 lost some SSL functionality from 2.0?
This is a discussion on Apache 2.2 lost some SSL functionality from 2.0? within the Linux Web Servers forums, part of the Web Server and Related Forums category; I want to move my systems from CentOS4 to 5 and am currently checking out the differences going from Apache ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-10-2008
|
|||
|
|||
Apache 2.2 lost some SSL functionality from 2.0?
I want to move my systems from CentOS4 to 5 and am currently checking out
the differences going from Apache 2.0 to 2.2. Basically I don't find much and can reuse most of my configuration. But I found a showstopper issue with the SSL module. It cannot identify name-based virtual hosts anymore. I see there is an FAQ at http://httpd.apache.org/docs/2.2/ssl...q.html#vhosts2 and I see this FAQ is available for 2.0 as well. Just that it is wrong at least for 2.0. This *was* possible with Apache 2.0 and I don't see that change listed in the Upgrade 2.2 guide. In case you don't believe me that this was possible on Apache 2.0 just configure two name-based virtual hosts on same IP and port no. and use the same certificate for both (*). It was possible with 1.3 as well. On 2.2 it goes straight to the first virtual host. Obviously earlier Apache versions grabbed the Host: header after the SSL negotiation and used that to identify the virtual host. This functionality must have been dropped. Anyone knows if there a way to reenable it without changes to the code? (*) which means it's only useful for use with wildcard certificates, but then it really makes sense and saves on a lot of IP numbers. Kai |
|
02-10-2008
|
|||
|
|||
|
Re: Apache 2.2 lost some SSL functionality from 2.0?
Kai Schaetzl <kai@mvps.org.invalid> writes:
> In case you don't believe me that this was possible on Apache 2.0 just > configure two name-based virtual hosts on same IP and port no. and use the > same certificate for both (*). It was possible with 1.3 as well. On 2.2 it > goes straight to the first virtual host. That would make the browser show a warning dialog if the certificate doesn't match the host that the user requests thru navigation. Doesn't sound like what you want. HTTP should be extended to support something like STARTTLS. It would take a long time for such a change to propagate through enough software to be viable, but I'm just amazed the process wasn't started years ago. |
|
02-10-2008
|
|||
|
|||
|
Re: Apache 2.2 lost some SSL functionality from 2.0?
Paul Rubin schrieb am 10 Feb 2008 06:15:25 -0800:
> That would make the browser show a warning dialog if the certificate > doesn't match the host that the user requests thru navigation. Doesn't > sound like what you want. You may not have read the (*) before your amazingly quick reply ;-) The only scenario where it makes sense to use this configuration is with wildcard certificates. There it works just fine and has worked fine for years with Apache. Until 2.2. It's a cheap way of providing SSL for less "important" URLs like different webmail suites on the same machine or providing virtual hosts for administration of several aspects like spam-filtering or databases which only differ in the first part of the hostname, like webmail1.example.org, webmail2.example.org etc. Kai -- Conactive Internet Services, Berlin, Germany |
|
02-10-2008
|
|||
|
|||
|
Re: Apache 2.2 lost some SSL functionality from 2.0?
Interestingly the wiki implies that it *should* work.
http://wiki.apache.org/httpd/CommonM...gurations#head Kai -- Conactive Internet Services, Berlin, Germany |
|
02-10-2008
|
|||
|
|||
|
Re: Apache 2.2 lost some SSL functionality from 2.0?
Kai Schaetzl <kai@mvps.org.invalid> writes:
> It's a cheap way of providing SSL for less "important" URLs like different > webmail suites on the same machine or providing virtual hosts for > administration of several aspects like spam-filtering or databases which > only differ in the first part of the hostname, like webmail1.example.org, > webmail2.example.org etc. Hmm, yeah, ok, I see what you mean. You are right and it should work, unless there are some subtle issues that I'm not seeing. The SSL layer is supposed to be basically independent of the data underneath, including http headers and how they are parsed. There is some discussion at: http://issues.apache.org/bugzilla/show_bug.cgi?id=41537 that indicates the change may have occurred between 2.2.3 and 2.2.4. |
|
02-10-2008
|
|||
|
|||
|
Re: Apache 2.2 lost some SSL functionality from 2.0?
Paul Rubin schrieb am 10 Feb 2008 07:00:50 -0800:
> There is some discussion at: > > http://issues.apache.org/bugzilla/show_bug.cgi?id=41537 > > that indicates the change may have occurred between 2.2.3 and 2.2.4. Thanks for this bug. I had just been searching bugzilla myself with almost the same words that are in the summary of this bug, but didn't find that one. This report is against HEAD, but the apache actually used by the reporter at his test site is a 2.0.54. And the comment later is also on 2.0 (where it works just fine till today). And from all the comments it sounds like it should still work in 2.2. I wonder if the Apache 2.2.3 on CentOS 5 may actually be broken in this respect, althought I don't see a fix in a later version on the changelog. The only reference I can find in the changelog is for 2.1.9 and implies it should work: http://issues.apache.org/bugzilla/show_bug.cgi?id=37051 Same for this one: http://issues.apache.org/bugzilla/show_bug.cgi?id=43997 Thanks for your comments. I'll subscribe to the apache mailing list and try to get more information there before I file a bug report. Kai |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 03:13 PM.
