Weird Apache SSL certificate behaviour

Posted on: Friday 20 May 2011 /
Categories: Nerd Stuff

Today, I encountered the following weirdness in Apache’s SSL certificate handling. I have two SSL virtual hosts on different IP addresses. The essentials:

<VirtualHost a.b.c.d:443>
    SSLCertificateFile /path/to/cert1
</VirtualHost>

<VirtualHost a.b.c.e:443>
    SSLCertificateFile /path/to/cert2
</VirtualHost>

This works as expected, as long as the ServerName for both virtual hosts is different. If the ServerNames are identical,

  • either, you specify a ServerName with identical values in the virtual host definition
  • or, and this is the tricky part, IP addresses a.b.c.d and a.b.c.e resolve to the same host name

Apache serves the certificate from /path/to/cert1 for both virtual hosts, and doesn’t use /path/to/cert2 at all.

Is this somehow documented behaviour or otherwise to be expected?

I understand that there is a close relationship between a virtual host’s name, the server certificate, which also contains the host name, and the name that the client uses to connect to the site, but of these three, the virtual host’s name matters the least of the three. It will cause a warning in Apache error log:

RSA server certificate CommonName (CN) `example.com' does NOT match server name!?

but that’s it. Clients still are able to verify the certificate, because the certificate name still matches the hostname in the request.

I think it should very well be possible to serve different certificates on different virtual hosts, even if they have the same name. The setup that caused me this trouble uses client certificate verification to authenticate and authorize clients to connect. We distinguish between ‘production’ clients and ‘development’ clients, which have different client certificates, signed by different CAs, and we have different server certificates to match. We use DNS views or even /etc/hosts to direct clients to the right server. I don’t see why this shouldn’t work, do you?

Tijd voor een quote

Posted on: Wednesday 18 May 2011 /
Categories: Personal, Politics

Tijd voor een quote:

Meneer Wilders, u bedrijft politieke terreur en vandalisme: de methodes die u daarbij hanteert zijn uitsluiting, bangmakerij, haatzaaien, intimidatie en belachelijk maken van tegenstanders, het ontwijken van het debat en het vergiftigen van de sfeer in het land. U bent geen deel van de oplossing, maar deel van het probleem.

“Kiplingski” in reactie op de gebruikelijke troep die Wilders ditkeer via nu.nl mag verspreiden

Kiplingski

1 17 18 19 20 21 27