RE: Apache-SSL 'n Cert Fun

To: "D. Clarke" <dclarke@FlatlineSystems.net>, <debian-isp@lists.debian.org>
Subject: RE: Apache-SSL 'n Cert Fun
From: "Boyan Krosnov" <bkrosnov@lirex.bg>
Date: Mon, 3 Mar 2003 05:41:07 +0200
Message-id: <ACB9EEE02202C449B0158F02DDD8AD0C53B0CA@exquila.lirex.com>

Well, that's a common misunderstanding of HTTPS.
Imagine that you are a web server. A TCP connection comes in. You then
negotiate SSL paremeters over that TCP connection. After (and if) the
SSL parameters are negotiated you receive over the SSL tunnel the HTTP
request which includes, besides other things, the Host field.
Now.. How can you know which certificate to use when you still don't
know the vhost name? :) It is a chicken and egg problem as you see.
The only way around it is to use separate IP addresses for each ssl
enabled vhost.

It is very nicely documented in the mod_ssl manual.

BR,
Boyan Krosnov, CCIE#8701
http://boyan.ludost.net/
just another techie speaking for himself

-----Original Message-----
From: D. Clarke [mailto:dclarke@FlatlineSystems.net] 
Sent: Monday, March 03, 2003 5:07 AM
To: debian-isp@lists.debian.org
Subject: Re: Apache-SSL 'n Cert Fun

Hi,

Thanks.  I decrypted it this afternoon actually and it works fine.
Still bugs me that it doesn't work with it encrypted, but that's another
day [and not my problem :)]

However, the next problem is...

With Two vhosts configured, apache-ssl seems to only send out the cert
for the 'default' domain regardless of which vhost I go after. Even
though each vhost has a seperate specified .pem file.

Yippi. :(

~ Darryl

----- Original Message -----
From: "Craig Sanders" <cas@taz.net.au>
To: "D. Clarke" <dclarke@FlatlineSystems.net>
Cc: <debian-isp@lists.debian.org>
Sent: Sunday, March 02, 2003 8:13 PM
Subject: Re: Apache-SSL 'n Cert Fun

> On Sun, Mar 02, 2003 at 08:01:20AM -0500, D. Clarke wrote:
> > apache-ssl works fine without an encrypted test key & cert... once 
> > encrypted pewf, it dies (which I need, because that's how the client

> > gave it to me...  ugh.)
> >
> > Any new ideas? :)
>
> use openssl and the pass-phrase to decrypt the cert.  then configure 
> apache to use the decrypted copy.
>
>
> using encrypted certificates on a web server is worse than useless.
> either:
>
> 1. you store the pass-phrase on the server so that the startup scripts

> can read it (which is pointless, any attacker that could get an 
> unencrypted cert could also get an encrypted cert plus the passphrase)
>
> or
>
> 2. you manually enter the passphrase every time apache is restarted. 
> this effectively prevents automatic startup of your web server at boot

> time (e.g after a power failure, or kernel upgrade etc), and also 
> makes it impossible for staff to restart the server unless they know 
> the pass-phrases for all encrypted keys used by the server.
>
>
> since there's no security advantage in using encrypted certificates 
> (item #1 above), and significant operational disadvantages (item #2), 
> your best bet is to use unencrypted certificates.
>
>
> craig
>
> --
> craig sanders <cas@taz.net.au>
>
> Fabricati Diem, PVNC.
>  -- motto of the Ankh-Morpork City Watch
>
>

-- 
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Prev by Date: Re: Apache-SSL 'n Cert Fun
Next by Date: Re: Apache-SSL 'n Cert Fun
Previous by thread: Re: Apache-SSL 'n Cert Fun
Next by thread: seeking input on rbls and anti-spam measures
Index(es):
- Date
- Thread