Bug#533757: marked as done (apache2: ports.conf should not say name-based SSL virtual hosts are not supported)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 21 Jun 2009 16:46:22 +0200
with message-id <200906211646.23432.sf@sfritsch.de>
and subject line Re: Bug#533757: apache2: ports.conf should not say name-based SSL virtual hosts are not supported
has caused the Debian Bug report #533757,
regarding apache2: ports.conf should not say name-based SSL virtual hosts are not supported
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
533757: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533757
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apache2: ports.conf should not say name-based SSL virtual hosts are not supported
• From: Tanguy Ortolo <tanguy+debian@ortolo.eu>
• Date: Sat, 20 Jun 2009 12:23:33 +0200
• Message-id: <[🔎] 20090620102333.19759.52049.reportbug@herbert.ortolo.eu>

Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: wishlist
Tags: patch

/etc/apache2/ports.conf says:
<IfModule mod_ssl.c>
    # SSL name based virtual hosts are not yet supported, therefore no
    # NameVirtualHost statement here
    Listen 443
</IfModule>

But name-based SSL virtual hosts are actually supported. What is not supported, is to have several certificates: the first one is always presented, as, at this moment, the server does not know what virtual host to serve.

I suggest this modification, to let the user know the advantages and disadvantages to use name-based or address-based virtual hosts:
<IfModule mod_ssl.c>
    # SSL name based virtual hosts will all use the first certificate declared.
    # Further certificate declarations are simply ignored, so you should use
    # either certificates with wildcards or alternative names (SubjectAltName),
    # or address-based virtual hosts.
    NameVirtualHost *:443
    Listen 443
</IfModule>

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi dir env mime negotiation php5
  setenvif status userdir

-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny3 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny3      utility programs for webservers
ii  libapr1             1.2.12-5             The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny2 The Apache Portable Runtime Utilit
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny1     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical Extraction 
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

-- no debconf information

--- ports.conf.old	2009-06-20 12:04:45.000000000 +0200
+++ ports.conf	2009-06-20 12:09:00.000000000 +0200
@@ -9,7 +9,10 @@
 Listen 80
 
 <IfModule mod_ssl.c>
-    # SSL name based virtual hosts are not yet supported, therefore no
-    # NameVirtualHost statement here
+    # SSL name based virtual hosts will all use the first certificate declared.
+    # Further certificate declarations are simply ignored, so you should use
+    # either certificates with wildcards or alternative names (SubjectAltName),
+    # or address-based virtual hosts.
+    NameVirtualHost *:443
     Listen 443
 </IfModule>

--- End Message ---

--- Begin Message ---

• To: Tanguy Ortolo <tanguy+debian@ortolo.eu>
• Cc: 533757-done@bugs.debian.org
• Subject: Re: Bug#533757: apache2: ports.conf should not say name-based SSL virtual hosts are not supported
• From: Stefan Fritsch <sf@sfritsch.de>
• Date: Sun, 21 Jun 2009 16:46:22 +0200
• Message-id: <200906211646.23432.sf@sfritsch.de>
• In-reply-to: <[🔎] 20090620102333.19759.52049.reportbug@herbert.ortolo.eu>
• References: <[🔎] 20090620102333.19759.52049.reportbug@herbert.ortolo.eu>

On Saturday 20 June 2009, Tanguy Ortolo wrote:
> But name-based SSL virtual hosts are actually supported. What is
> not supported, is to have several certificates: the first one is
> always presented, as, at this moment, the server does not know what
> virtual host to serve.

No,  name-based SSL virtual hosts are not supported. If you use a 
configuration as you suggest, SSLRequire and SSLVerifyClient will not 
work correctly for all virtual hosts except the first, i.e. you may 
introduce security issues if you don't know exactly what you are 
doing.

But this is moot anyway, as 2.2.12 will add SNI with proper support 
for name-based SSL virtual hosts.

--- End Message ---