httpd presenting the wrong TLS certificate

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd presenting the wrong TLS certificate

Hugo Osvaldo Barrera-2
Hi,

I've only just recently started moving from nginx to httpd (I *loved* the
config syntax by the way!).

I'm having an issue with httpd presenting the wrong TLS certificate for a
client - it seems to be defaulting always to the first entry, ignoring all
laters ones.

Here's my narrowed down test config:

    server "hugo.barrera.io" {
            alias "barrera.io"
            listen on * tls port 1443
            root "/sites/hugo.barrera.io"
            tls certificate "/var/www/tls/hugo.barrera.io/chain.crt"
            tls key         "/var/www/tls/hugo.barrera.io/ssl.key"
    }

    server "calendar.barrera.io" {
            listen on * tls port 1443
            root "/sites/calendar.barrera.io"
            tls certificate "/var/www/tls/calendar.barrera.io/chain.crt"
            tls key         "/var/www/tls/calendar.barrera.io/ssl.key"
    }

On both scenarios, httpd is presenting the TLS certificate for
hugo.barrera.io.

Any hints? Did I do something wrong? Did I hit a bug?

Thanks,

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: httpd presenting the wrong TLS certificate

Peter Hessler
httpd does not yet support SNI.  You will need to either wait, use a
wildcard SSL cert, or use different ports/IPs.


On 2015 Mar 14 (Sat) at 19:26:31 -0300 (-0300), Hugo Osvaldo Barrera wrote:
:Hi,
:
:I've only just recently started moving from nginx to httpd (I *loved* the
:config syntax by the way!).
:
:I'm having an issue with httpd presenting the wrong TLS certificate for a
:client - it seems to be defaulting always to the first entry, ignoring all
:laters ones.
:
:Here's my narrowed down test config:
:
:    server "hugo.barrera.io" {
:            alias "barrera.io"
:            listen on * tls port 1443
:            root "/sites/hugo.barrera.io"
:            tls certificate "/var/www/tls/hugo.barrera.io/chain.crt"
:            tls key         "/var/www/tls/hugo.barrera.io/ssl.key"
:    }
:
:    server "calendar.barrera.io" {
:            listen on * tls port 1443
:            root "/sites/calendar.barrera.io"
:            tls certificate "/var/www/tls/calendar.barrera.io/chain.crt"
:            tls key         "/var/www/tls/calendar.barrera.io/ssl.key"
:    }
:
:On both scenarios, httpd is presenting the TLS certificate for
:hugo.barrera.io.
:
:Any hints? Did I do something wrong? Did I hit a bug?
:
:Thanks,
:
:--
:Hugo Osvaldo Barrera
:A: Because we read from top to bottom, left to right.
:Q: Why should I start my reply below the quoted text?
:
:[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
:

--
Harrisberger's Fourth Law of the Lab:
        Experience is directly proportional to the amount of equipment
        ruined.

Reply | Threaded
Open this post in threaded view
|

Re: httpd presenting the wrong TLS certificate

Hugo Osvaldo Barrera-2
On 2015-03-14 23:34, Peter Hessler wrote:
> httpd does not yet support SNI.  You will need to either wait, use a
> wildcard SSL cert, or use different ports/IPs.
>
>

Oh, I hadn't checked that for SNI. I'll have to wait then; multiple IPv4
addresses are expensive, and CAs will charge for wildcard certs. :(

Is SNI on the roadmap already?

Thanks,

> On 2015 Mar 14 (Sat) at 19:26:31 -0300 (-0300), Hugo Osvaldo Barrera wrote:
> :Hi,
> :
> :I've only just recently started moving from nginx to httpd (I *loved* the
> :config syntax by the way!).
> :
> :I'm having an issue with httpd presenting the wrong TLS certificate for a
> :client - it seems to be defaulting always to the first entry, ignoring all
> :laters ones.
> :
> :Here's my narrowed down test config:
> :
> :    server "hugo.barrera.io" {
> :            alias "barrera.io"
> :            listen on * tls port 1443
> :            root "/sites/hugo.barrera.io"
> :            tls certificate "/var/www/tls/hugo.barrera.io/chain.crt"
> :            tls key         "/var/www/tls/hugo.barrera.io/ssl.key"
> :    }
> :
> :    server "calendar.barrera.io" {
> :            listen on * tls port 1443
> :            root "/sites/calendar.barrera.io"
> :            tls certificate "/var/www/tls/calendar.barrera.io/chain.crt"
> :            tls key         "/var/www/tls/calendar.barrera.io/ssl.key"
> :    }
> :
> :On both scenarios, httpd is presenting the TLS certificate for
> :hugo.barrera.io.
> :
> :Any hints? Did I do something wrong? Did I hit a bug?
> :
> :Thanks,
> :
> :--
> :Hugo Osvaldo Barrera
> :A: Because we read from top to bottom, left to right.
> :Q: Why should I start my reply below the quoted text?
> :
> :[demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
> :
>
> --
> Harrisberger's Fourth Law of the Lab:
> Experience is directly proportional to the amount of equipment
> ruined.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: httpd presenting the wrong TLS certificate

Hugo Osvaldo Barrera-2
On 2015-03-14 19:39, Hugo Osvaldo Barrera wrote:

> On 2015-03-14 23:34, Peter Hessler wrote:
> > httpd does not yet support SNI.  You will need to either wait, use a
> > wildcard SSL cert, or use different ports/IPs.
> >
> >
>
> Oh, I hadn't checked that for SNI. I'll have to wait then; multiple IPv4
> addresses are expensive, and CAs will charge for wildcard certs. :(
>
> Is SNI on the roadmap already?
>

Oh, never mind, I found it:

  https://github.com/reyk/httpd/issues/17

Sorry for the noise.

Cheers!

> Thanks,
>
> > On 2015 Mar 14 (Sat) at 19:26:31 -0300 (-0300), Hugo Osvaldo Barrera
wrote:
> > :Hi,
> > :
> > :I've only just recently started moving from nginx to httpd (I *loved*
the
> > :config syntax by the way!).
> > :
> > :I'm having an issue with httpd presenting the wrong TLS certificate for
a
> > :client - it seems to be defaulting always to the first entry, ignoring
all

> > :laters ones.
> > :
> > :Here's my narrowed down test config:
> > :
> > :    server "hugo.barrera.io" {
> > :            alias "barrera.io"
> > :            listen on * tls port 1443
> > :            root "/sites/hugo.barrera.io"
> > :            tls certificate "/var/www/tls/hugo.barrera.io/chain.crt"
> > :            tls key         "/var/www/tls/hugo.barrera.io/ssl.key"
> > :    }
> > :
> > :    server "calendar.barrera.io" {
> > :            listen on * tls port 1443
> > :            root "/sites/calendar.barrera.io"
> > :            tls certificate "/var/www/tls/calendar.barrera.io/chain.crt"
> > :            tls key         "/var/www/tls/calendar.barrera.io/ssl.key"
> > :    }
> > :
> > :On both scenarios, httpd is presenting the TLS certificate for
> > :hugo.barrera.io.
> > :
> > :Any hints? Did I do something wrong? Did I hit a bug?
> > :
> > :Thanks,
> > :
> > :--
> > :Hugo Osvaldo Barrera
> > :A: Because we read from top to bottom, left to right.
> > :Q: Why should I start my reply below the quoted text?
> > :
> > :[demime 1.01d removed an attachment of type application/pgp-signature
which

> had a name of signature.asc]
> > :
> >
> > --
> > Harrisberger's Fourth Law of the Lab:
> > Experience is directly proportional to the amount of equipment
> > ruined.
>
> --
> Hugo Osvaldo Barrera
> A: Because we read from top to bottom, left to right.
> Q: Why should I start my reply below the quoted text?
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
>

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: httpd presenting the wrong TLS certificate

Ted Unangst-6
In reply to this post by Hugo Osvaldo Barrera-2
Hugo Osvaldo Barrera wrote:
> Hi,
>
> I've only just recently started moving from nginx to httpd (I *loved* the
> config syntax by the way!).
>
> I'm having an issue with httpd presenting the wrong TLS certificate for a
> client - it seems to be defaulting always to the first entry, ignoring all
> laters ones.

I don't think SNI is supported yet.

Reply | Threaded
Open this post in threaded view
|

Re: httpd presenting the wrong TLS certificate

Stuart Henderson
In reply to this post by Hugo Osvaldo Barrera-2
On 2015-03-14, Hugo Osvaldo Barrera <[hidden email]> wrote:
> On 2015-03-14 23:34, Peter Hessler wrote:
>> httpd does not yet support SNI.  You will need to either wait, use a
>> wildcard SSL cert, or use different ports/IPs.
>>
>>
>
> Oh, I hadn't checked that for SNI. I'll have to wait then; multiple IPv4
> addresses are expensive, and CAs will charge for wildcard certs. :(

Another option is to use a certificate with multiple subjectAlternativeNames.
Usually more expensive than a standard cert, but cheaper than wildcard.

Reply | Threaded
Open this post in threaded view
|

Re: [Bulk] Re: httpd presenting the wrong TLS certificate

Kevin Chadwick-2
In reply to this post by Hugo Osvaldo Barrera-2
On Sat, 14 Mar 2015 19:39:01 -0300
Hugo Osvaldo Barrera wrote:

> Oh, I hadn't checked that for SNI. I'll have to wait then; multiple IPv4
> addresses are expensive, and CAs will charge for wildcard certs. :(
>
> Is SNI on the roadmap already?

pound proxy does SNI and works well on port 443 in front of httpd