--- Begin Message ---
Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: wishlist
Tags: patch
/etc/apache2/ports.conf says:
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
But name-based SSL virtual hosts are actually supported. What is not supported, is to have several certificates: the first one is always presented, as, at this moment, the server does not know what virtual host to serve.
I suggest this modification, to let the user know the advantages and disadvantages to use name-based or address-based virtual hosts:
<IfModule mod_ssl.c>
# SSL name based virtual hosts will all use the first certificate declared.
# Further certificate declarations are simply ignored, so you should use
# either certificates with wildcards or alternative names (SubjectAltName),
# or address-based virtual hosts.
NameVirtualHost *:443
Listen 443
</IfModule>
-- Package-specific info:
List of enabled modules from 'apache2 -M':
alias auth_basic authn_file authz_default authz_groupfile
authz_host authz_user autoindex cgi dir env mime negotiation php5
setenvif status userdir
-- System Information:
Debian Release: 5.0.1
APT prefers stable
APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2 depends on:
ii apache2-mpm-prefork 2.2.9-10+lenny3 Apache HTTP Server - traditional n
apache2 recommends no packages.
apache2 suggests no packages.
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.9-10+lenny3 utility programs for webservers
ii libapr1 1.2.12-5 The Apache Portable Runtime Librar
ii libaprutil1 1.2.12+dfsg-8+lenny2 The Apache Portable Runtime Utilit
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libmagic1 4.26-1 File type determination library us
ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii mime-support 3.44-1 MIME files 'mime.types' & 'mailcap
ii net-tools 1.60-22 The NET-3 networking toolkit
ii perl 5.10.0-19 Larry Wall's Practical Extraction
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
-- no debconf information
--- ports.conf.old 2009-06-20 12:04:45.000000000 +0200
+++ ports.conf 2009-06-20 12:09:00.000000000 +0200
@@ -9,7 +9,10 @@
Listen 80
<IfModule mod_ssl.c>
- # SSL name based virtual hosts are not yet supported, therefore no
- # NameVirtualHost statement here
+ # SSL name based virtual hosts will all use the first certificate declared.
+ # Further certificate declarations are simply ignored, so you should use
+ # either certificates with wildcards or alternative names (SubjectAltName),
+ # or address-based virtual hosts.
+ NameVirtualHost *:443
Listen 443
</IfModule>
--- End Message ---
--- Begin Message ---
On Saturday 20 June 2009, Tanguy Ortolo wrote:
> But name-based SSL virtual hosts are actually supported. What is
> not supported, is to have several certificates: the first one is
> always presented, as, at this moment, the server does not know what
> virtual host to serve.
No, name-based SSL virtual hosts are not supported. If you use a
configuration as you suggest, SSLRequire and SSLVerifyClient will not
work correctly for all virtual hosts except the first, i.e. you may
introduce security issues if you don't know exactly what you are
doing.
But this is moot anyway, as 2.2.12 will add SNI with proper support
for name-based SSL virtual hosts.
--- End Message ---