Re: [Sks-devel] Question: serving two different SSL certificates under Apache?

[Martin Papik]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


This link might help.

https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

However this relies on an extension to TLS calles SNI (server name
indication), which sadly isn't implemented in all clients, some less
popular or older browsers for example. So it may not work in some
cases, depending on the client libraries and the client software. The
SW using openssl needs to issue an extra call to make use of it. I
think it's SSL_set_tlsext_host_name. But that's not the point. The
point is some software doesn't do that. It works without it in most
cases, so nobody catches it until somebody complains a decade after
HTTPS was coded. :-) By which time nobody remembers how it was done.

The safest bet is to have an extra IP address.

PS, if you do this, IMHO you might want to watch the logs for a while
to see if any problems arise (I saw some crap about SNI when I tested
it some time back).

PPS anybody has any idea about the PKS/SKS clients out there? I.e. if
they do this correctly? I only tested web browsers myself.

Martin

On 06/01/2014 11:05 PM, John Zaitseff wrote:
> Hi,
> 
> I am setting up https://keyserver.zap.org.au/ to be used by 
> hkps.pool.sks-keyservers.net.  I am trying to serve different SSL 
> certificates depending on the incoming hostname.  Does anyone know
>  if this is possible within the SAME VirtualHost configuration 
> block under Apache?
> 
> My current configuration includes:
> 
> <VirtualHost *:11372 *:443> ServerAdmin address@hidden 
> ServerName keyserver.zap.org.au ServerAlias *.sks-keyservers.net
> 
> SSLEngine on
> 
> # Only allow secure ciphers and protocols: SSLv3 and TLSv1 
> SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2
> 
> SSLCertificateFile /etc/ssl/certs/keyserver.pem 
> SSLCertificateKeyFile /etc/ssl/private/keyserver.pem 
> SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem
> 
> <Proxy *> Order allow,deny Allow from all </Proxy>
> 
> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / 
> http://127.0.0.1:11371/ ProxyVia On
> 
> SetEnv proxy-nokeepalive 1
> 
> ... </VirtualHost>
> 
> I know I can create a second VirtualHost block with 
> SSLCertificateFile, SSLCertificateKeyFile and SSLCACertificateFile
>  pointing to the sks-keyservers.net-generated certificates, but is 
> it possible to do this within the SAME VirtualHost block, based on
>  environment variables, etc.?
> 
> Yours truly,
> 
> John Zaitseff
> 
> -- John Zaitseff                    ,--_|\    The ZAP Group Phone: 
> +61 2 9643 7737         /      \   Sydney, Australia E-mail: 
> address@hidden   \_,--._*   http://www.zap.org.au/ v
> 
> _______________________________________________ Sks-devel mailing 
> list address@hidden 
> https://lists.nongnu.org/mailman/listinfo/sks-devel
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTi6V0AAoJELsEaSRwbVYr7R4QAKUeoqYhZLNeB1SsHowzG4YB
4p1yllsEgqui174R17vh8ueZoc1jfKWVthLgk42LGrG2ATOlb/1Rr/yRBhnd6+R8
9459NnL419x9AYQ7eF/ijy1lx4iIFjqco+a2qEtfga/6GhSwZ/gwLlnOqGbJmiPP
QjxqD26Fs/WADxBbupMbEBPtxgM73zNtP+YiLVxHL9Lp4ITs8Gzog2XIZvPvZ/9L
yjF5Ckczce+IhAmsKKHy2k/Qg7pC3DnuNkYr/lA5FJfFSNxIImaq4G0ieDQCRqoZ
k7TSkB/fPaxSJhX92zl1Jja22eqtlQnVVuChLdcYoiGpbhvTpyjkR6wn6i4dbFfr
QnH6ra1D771t7Q5IK3nbyGSnTxxY31dxZJxTIFLNugwLEtJuXuK4nVMQSPWzRTni
ekKwUMDMpC8TP7tYgNOcV12GMYvNJI9pMaGEVsK2rq0QeDCAhVZL48lGpzp+wkvl
yQkX9AFoMQarR5NWcHWYqbuth0N/TTG3obxav3DnDYbfsvAwp8WlbR89pj3mplri
5p8i/EQdbKhzIf3JcoiISWBgPYgicLGPwhZR4S71VIfs1siLFpunXmAZAXlg0idf
2pOxh89ocKj7UoOSQT6G6kCN+Y5c+sC14bgw5xwkjrF5k16Wx09LmgFRdByoR4fs
EGeCBsD1bhy4GHy+G6hb
=A9zy
-----END PGP SIGNATURE-----