Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-23 Thread Matthew Bachmann
:00 AM, Tushar Chavan wrote: > > > > Date: Tue, 22 Oct 2013 08:26:57 -0400 > > From: d...@bellsouth.net > > To: users@httpd.apache.org > > Subject: [users@httpd] Virtual Hosts and SSL Puzzler > > > > I have 3 virtual hosts that for all I can see are configur

RE: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-23 Thread Tushar Chavan
> Date: Tue, 22 Oct 2013 08:26:57 -0400 > From: d...@bellsouth.net > To: users@httpd.apache.org > Subject: [users@httpd] Virtual Hosts and SSL Puzzler > > I have 3 virtual hosts that for all I can see are configured identically > other the the obviously needed differences

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Chris Gordon
Thank you for the enlightenment Yehuda! I must not be meeting one of the SNI prerequisites (maybe LD_LIBRARY_PATH, maybe TLS Extensions) because I get a warning message on startup about using * and Name Based Hosting with SSL. I have a secure workaround so as long as it works and security is

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Dennis Putnam
On 10/22/2013 10:03 AM, Yehuda Katz wrote: > If the sites you are referencing allow you to access them over https, > that will solve the problem. > My prefered solution is to omit the http: altogether. If a url just > starts with "//example.com/rest/of/url > ", the b

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Yehuda Katz
On Tue, Oct 22, 2013 at 10:08 AM, Chris Gordon wrote: > To answer your questions: > *"Doesn't the SSLCertificate parameter for each VH say which cert to use*? > > > Yes, but how does Apache know which VH to get the cert from until it has > used a cert to decrypt the SSL? It just used the first

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Chris Gordon
I think the previous poster, I shift deleted the mail but I think it is a prominent poster here 'Pete Houston' who had a very good point. It could just be that you have mixed content. You can use a development mode of a browser to find any links to http content, that will certainly break the p

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Yehuda Katz
If the sites you are referencing allow you to access them over https, that will solve the problem. My prefered solution is to omit the http: altogether. If a url just starts with "//example.com/rest/of/url", the browser will use the appropriate protocol automatically. - Y On Tue, Oct 22, 2013 at

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Dennis Putnam
On 10/22/2013 9:44 AM, Yehuda Katz wrote: > On Tue, Oct 22, 2013 at 9:39 AM, Dennis Putnam > wrote: > > Thanks. That might make more sense (at least to me). After more > reading, > I am not sure that I don't have SNI capable version of httpd already > ins

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Yehuda Katz
On Tue, Oct 22, 2013 at 9:39 AM, Dennis Putnam wrote: > Thanks. That might make more sense (at least to me). After more reading, > I am not sure that I don't have SNI capable version of httpd already > installed (how do I tell?). The pages that work are very simple but the > one that doesn't is

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Dennis Putnam
On 10/22/2013 9:12 AM, Pete Houston wrote: > On Tue, Oct 22, 2013 at 08:26:57AM -0400, Dennis Putnam wrote: >> I get a gray globe indicating >> partial encryption which does not prevent eavesdropping. I have no clue >> how to debug this or even where to look. Can someone point me in the >> right di

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Yehuda Katz
On Tue, Oct 22, 2013 at 9:10 AM, Chris Gordon wrote: > SSL wraps http and you need a cert to decrypt the data sent via SSL. If > you have 3 virtual hosts and you are using Name Based Virtual Hosting how > does the Apache web server know which cert to use to decrypt and read the > header so it c

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Dennis Putnam
On 10/22/2013 9:10 AM, Chris Gordon wrote: > Sorry, brevity is not my strong point. > > Because I do not know what your certs look like as far as what > domain(s) are considered CNs I'm going to guess it has something to do > with the following... > > SSL wraps http and you need a cert to decr

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Pete Houston
On Tue, Oct 22, 2013 at 08:26:57AM -0400, Dennis Putnam wrote: > I get a gray globe indicating > partial encryption which does not prevent eavesdropping. I have no clue > how to debug this or even where to look. Can someone point me in the > right direction? Thanks. This is usually indicative of a

Re: [users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Chris Gordon
Sorry, brevity is not my strong point. Because I do not know what your certs look like as far as what domain(s) are considered CNs I'm going to guess it has something to do with the following... SSL wraps http and you need a cert to decrypt the data sent via SSL. If you have 3 virtual host

[users@httpd] Virtual Hosts and SSL Puzzler

2013-10-22 Thread Dennis Putnam
I have 3 virtual hosts that for all I can see are configured identically other the the obviously needed differences. The same is true of the 3 crt files. ServerName public.mydomain.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/httpd/SSL/public