|

multiple virtualhosts with ssl on the same IP

View: New views

8 Messages — Rating Filter: Alert me

	multiple virtualhosts with ssl on the same IP by wde :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, As written in the yaws.conf documentation : "Yaws can virthost several webservers on the same ip address as well as several webservers on different ip addresses. The one limitation here is that there can be only one server with ssl enabled per each individ- ual ip address." In my quest for understanding yaws, I'm trying something like that to bypass this limit (I introduce a new configuration paramater sslvirtual) : <server www.funky.org> port = 443 listen = 192.168.128.32 docroot = /var/yaws/www_funky_org <ssl> keyfile = /etc/funky.key certfile = /etc/funky.cert </ssl> </server> <server funky.org> port = 443 listen = 192.168.128.32 sslvirtual = true docroot = /var/yaws/www_funky_org <ssl> keyfile = /etc/funky.key certfile = /etc/funky.cert </ssl> </server> with this paramater, funky.org is not bind on the socket {192.168.128.32,443} but added in the group of #sconf corresponding to the first server (same socket) (like in normal HTTP) . The pick_sconf function in ssl context do now the same thing that in plain context, by comparing Host header to find the good #sconf. For the test I added the sslvirtual in #sconf.soptions field. All modifications are done in yaws_server (SSL configuration must be strictly identical, otherwise we need to modify yaws_config:search_sconf , because, the search uses "listen,port,ssl,severname" fields). Details : yaws_server:do_listen(SC,GC) checks if the sslvirtual flag is set in the #sconf. if yes, instead of try to bind a socket on {Ip,Port} we just return {nossl,undefined,sslvirtual}; yaws_server:gserv(Top, GC, Group0) check is we do_listen returns something like {_,_,sslvirtual} if yes, gserv/3 do an proc_lib:init_ack(sslvirtual) yaws_server:start group receive the sslvirtual and do nothing (return false) (it's like the same case that when failonbind is set to false) pick_sconf in SSL context do the same thing that pick_sconf without SSL For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). Seems to work. Did I Miss Something ? wde ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list
	Re: multiple virtualhosts with ssl on the same IP by Claes Wikström :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message wde wrote: > > For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). > So this is the problem - the certificate must be sent on the socket before we get the Host header. I honestly don't see any real use of this feature since I don't believe browsers support this - at least they didn't - has this changed ? /klacke ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list
	Re: multiple virtualhosts with ssl on the same IP by wde :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I can't estimate the support of this extension by the browsers, but seems to work for FX 2.0 and IE 6.0. I got this extension in the google.com certificate : X509v3 Subject Alternative Name: DNS:google.com, DNS:*.google.com In fact in a case where I have only one server and one IP, and I would like to serve https://www.mydomain.com and https://mydomain.com I tried this "trick" :+) ======= le 29/09/2009, 22:20:27 vous écriviez: ======= >wde wrote: > >> >> For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). >> > >So this is the problem - the certificate must be sent on the socket before >we get the Host header. >I honestly don't see any real use of this feature since I don't believe >browsers support this - at least they didn't - has this changed ? > >/klacke > = = = = = = = = = ========= = = = = = = = = = = wde wde@... 29/09/2009 ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list
	Re: multiple virtualhosts with ssl on the same IP by wde :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I found this article : http://wiki.cacert.org/VhostTaskForce#Interoperability_Test ======= le 29/09/2009, 22:20:27 vous écriviez: ======= >wde wrote: > >> >> For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). >> > >So this is the problem - the certificate must be sent on the socket before >we get the Host header. >I honestly don't see any real use of this feature since I don't believe >browsers support this - at least they didn't - has this changed ? > >/klacke > = = = = = = = = = ========= = = = = = = = = = = wde wde@... 30/09/2009 ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list
	Re: multiple virtualhosts with ssl on the same IP by Torbjorn Tornkvist :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message wde wrote: > I found this article : > > http://wiki.cacert.org/VhostTaskForce#Interoperability_Test This looks great! --Tobbe > > > > ======= le 29/09/2009, 22:20:27 vous écriviez: ======= > >> wde wrote: >> >>> For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). >>> >> So this is the problem - the certificate must be sent on the socket before >> we get the Host header. >> I honestly don't see any real use of this feature since I don't believe >> browsers support this - at least they didn't - has this changed ? >> >> /klacke >> > > = = = = = = = = = ========= = = = = = = = = = = > > wde > wde@... > 30/09/2009 > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list
	Re: multiple virtualhosts with ssl on the same IP by Claes Wikström :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message wde wrote: > I found this article : > > http://wiki.cacert.org/VhostTaskForce#Interoperability_Test > Ok - interesting. It appears I was wrong, good. So it's the last column in the table that works on all browsers. CN + SubjAltName How do you generated the cert you use? Does anyone know if CAs will accept CSRs with these attributes set? If they don't all this is also moot. /klacke ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list
	Re: multiple virtualhosts with ssl on the same IP by wde :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message In my openssl.cnf file I have the the following sections for the subject alternative names [sslserver] ... subjectAltName = @aliases [aliases] DNS.1 = bla.com DNS.2 = super.bla.com To generate keys : openssl req -new -config ./openssl.cnf -newkey rsa:1024 -nodes -keyout yaws.ppk -out yaws.csr To sign the CSR with the extensions : openssl ca -config ./openssl.cnf -extensions sslserver -in yaws.csr -out yaws-cert.pem ======= le 30/09/2009, 16:03:11 vous écriviez: ======= >wde wrote: >> I found this article : >> >> http://wiki.cacert.org/VhostTaskForce#Interoperability_Test >> > >Ok - interesting. It appears I was wrong, good. >So it's the last column in the table that works on >all browsers. CN + SubjAltName > >How do you generated the cert you use? > >Does anyone know if CAs will accept CSRs with >these attributes set? If they don't all this is also moot. > > > > >/klacke > = = = = = = = = = ========= = = = = = = = = = = wde wde@... 30/09/2009 ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list openssl.cnf (3K) Download Attachment
	Re: multiple virtualhosts with ssl on the same IP by Claes Wikström :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message wde wrote: > In my openssl.cnf file I have the the following sections for the subject alternative names Ok - I'm happy - all this looks good and I'd be happy to include this - how do you want to proceed .. maybe we should take this off list? /klacke ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Erlyaws-list mailing list Erlyaws-list@... https://lists.sourceforge.net/lists/listinfo/erlyaws-list