Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cherokee: users

question about several ssl enabled virtual hosts

  

 
First page Previous page 1 2 Next page Last page  View All Cherokee users RSS feed   Index | Next | Previous | View Threaded


alvaro at gnu

Jul 3, 2009, 1:25 AM

Post #26 of 31 (293 views)
Permalink
Re: question about several ssl enabled virtual hosts [In reply to]
On 03-jul-09, at 10:14, Michiel van Es wrote:

>> Thanks for the update!
>> Do I have something special to let the virtual hosts bind to their
>> ip-adresses or let it work that if I go to
>> https://webmail.pcintelligence.nl I got the
>> webmail.pcintelligence.nl cert
>> https://www.pcintelligence.nl I get the www.pcintelligence.nl cert ?
>>
>> I still get the default cert.
>
> Do I have to enable something when I use ./configure or do I have to
> change something in the cherokee-admin menu?
> Or am I doing something wrong by running 2 SSL virtual hosts within 1
> cherokee webserver running with 2 ip-adresses?


You are doing nothing wrong, actually. The server can run listening as
many NICs and IPs as you wish.

What you are seeing is Cherokee's fault (sort of). Thing is.. the SSL/
TLS handshake is happening before the virtual server rule list is
evaluated, and therefore the default certificate is used.

The only two options I can think of (besides the SNI support) are:

- Issue a re-handshake whenever we detect a situation where the wrong
certificates were used at the initial SSL connection.

- Perform a few big and nasty changes in the server architecture in
order to support this sort of old IP-based SSL configuration. I must
confess I don't fancy this option, not even a little bit.

--
Greetings, alo
http://www.alobbs.com/

_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee


info at pcintelligence

Jul 3, 2009, 1:33 AM

Post #27 of 31 (302 views)
Permalink
Re: question about several ssl enabled virtual hosts [In reply to]
-------- Original Message --------
Subject: Re: [Cherokee] question about several ssl enabled virtual hosts
From: Alvaro Lopez Ortega <alvaro [at] gnu>
To: Michiel van Es <mve [at] pcintelligence>
Date: 07/03/2009 10:25 AM

> On 03-jul-09, at 10:14, Michiel van Es wrote:
>
>>> Thanks for the update!
>>> Do I have something special to let the virtual hosts bind to their
>>> ip-adresses or let it work that if I go to
>>> https://webmail.pcintelligence.nl I got the
>>> webmail.pcintelligence.nl cert
>>> https://www.pcintelligence.nl I get the www.pcintelligence.nl cert ?
>>>
>>> I still get the default cert.
>> Do I have to enable something when I use ./configure or do I have to
>> change something in the cherokee-admin menu?
>> Or am I doing something wrong by running 2 SSL virtual hosts within 1
>> cherokee webserver running with 2 ip-adresses?
>
>
> You are doing nothing wrong, actually. The server can run listening as
> many NICs and IPs as you wish.
>
> What you are seeing is Cherokee's fault (sort of). Thing is.. the SSL/
> TLS handshake is happening before the virtual server rule list is
> evaluated, and therefore the default certificate is used.
>
> The only two options I can think of (besides the SNI support) are:
>
> - Issue a re-handshake whenever we detect a situation where the wrong
> certificates were used at the initial SSL connection.
>
> - Perform a few big and nasty changes in the server architecture in
> order to support this sort of old IP-based SSL configuration. I must
> confess I don't fancy this option, not even a little bit.

I am using firefox 3 and a recent openssl on my server..why is the newer
method not working for me and I must use the old setup?
I mean: would you find it acceptable if you connect to a server but got
the wrong SSL certificate (a certificate of another server). What is the
use of certificates if the name not match? And how would you tell the
difference with a man in the middle attack?

Perhaps I am seeing it al wrong but what do I have to do to get no
certificate warning with cherokee and my setup? :)

>
> --
> Greetings, alo
> http://www.alobbs.com/

Regards,

Michiel

>
> _______________________________________________
> Cherokee mailing list
> Cherokee [at] lists
> http://lists.octality.com/listinfo/cherokee
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee


alvaro at gnu

Jul 3, 2009, 2:12 AM

Post #28 of 31 (287 views)
Permalink
Re: question about several ssl enabled virtual hosts [In reply to]
On 03-jul-09, at 10:33, Michiel van Es wrote:

> I am using firefox 3 and a recent openssl on my server..why is the
> newer
> method not working for me and I must use the old setup?

As long as you have an OpenSSL library >= 0.9.9, and the client
support TLS's SNI everything should work just fine.

However, whenever an old browser (without SNI support) accesses your
server (let's say an IE 6) the SSL handshake will be perform using the
default certificate. The problem is basically the timing: the first a
SSL connection does is the handshake between server and client
(sending/receiving the certs), and only when the secure connection is
stabilised, the browser sends the HTTP request. The main problem is
that the server does not know what vserver the client wants to access
until it doesn't receive that HTTP request.

> I mean: would you find it acceptable if you connect to a server but
> got
> the wrong SSL certificate (a certificate of another server). What is
> the
> use of certificates if the name not match? And how would you tell the
> difference with a man in the middle attack?

It is an issue, indeed.

--
Greetings, alo
http://www.alobbs.com/

_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee


info at pcintelligence

Jul 6, 2009, 8:08 AM

Post #29 of 31 (281 views)
Permalink
Re: question about several ssl enabled virtual hosts [In reply to]
-------- Original Message --------
Subject: Re: [Cherokee] question about several ssl enabled virtual hosts
From: Alvaro Lopez Ortega <alvaro [at] gnu>
To: Michiel van Es <info [at] pcintelligence>
Date: 07/03/2009 11:12 AM

> On 03-jul-09, at 10:33, Michiel van Es wrote:
>
>> I am using firefox 3 and a recent openssl on my server..why is the newer
>> method not working for me and I must use the old setup?
>
> As long as you have an OpenSSL library >= 0.9.9, and the client support
> TLS's SNI everything should work just fine.

Hmm I found out I got a patched 0.9.8b-*patch number* version..so it
won't work for me..

>
> However, whenever an old browser (without SNI support) accesses your
> server (let's say an IE 6) the SSL handshake will be perform using the
> default certificate. The problem is basically the timing: the first a
> SSL connection does is the handshake between server and client
> (sending/receiving the certs), and only when the secure connection is
> stabilised, the browser sends the HTTP request. The main problem is that
> the server does not know what vserver the client wants to access until
> it doesn't receive that HTTP request.
>
>> I mean: would you find it acceptable if you connect to a server but got
>> the wrong SSL certificate (a certificate of another server). What is the
>> use of certificates if the name not match? And how would you tell the
>> difference with a man in the middle attack?
>
> It is an issue, indeed.

Are you considering to implement the *old* setup? Binding certificates
to an ip-adress?

>
> --
> Greetings, alo
> http://www.alobbs.com/
Regards,

Michiel
>
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee


alvaro at gnu

Jul 6, 2009, 10:49 AM

Post #30 of 31 (285 views)
Permalink
Re: question about several ssl enabled virtual hosts [In reply to]
On 06-jul-09, at 17:08, Michiel van Es wrote:

>> However, whenever an old browser (without SNI support) accesses your
>> server (let's say an IE 6) the SSL handshake will be perform using
>> the
>> default certificate. The problem is basically the timing: the first a
>> SSL connection does is the handshake between server and client
>> (sending/receiving the certs), and only when the secure connection is
>> stabilised, the browser sends the HTTP request. The main problem is
>> that
>> the server does not know what vserver the client wants to access
>> until
>> it doesn't receive that HTTP request.
>>
>>> I mean: would you find it acceptable if you connect to a server
>>> but got
>>> the wrong SSL certificate (a certificate of another server). What
>>> is the
>>> use of certificates if the name not match? And how would you tell
>>> the
>>> difference with a man in the middle attack?
>>
>> It is an issue, indeed.
>
> Are you considering to implement the *old* setup? Binding certificates
> to an ip-adress?


I did. When I wrote the target_ip plug-in I thought that it'd work..
however, I missed a little detail that rendered it useless for this
sort of scenario.

I'd agree on implementing the old method as long as it doesn't mess
the code. I haven't found to way so far.. so I couldn't tell you for
sure.

Antonio worked on the cryptor-libssl plug-in for a while, and he is
willing to check it out. Let's hope he comes up with some brilliant
solution! :-)

--
Greetings, alo
http://www.alobbs.com/

_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee


info at pcintelligence

Jul 6, 2009, 4:24 PM

Post #31 of 31 (279 views)
Permalink
Re: question about several ssl enabled virtual hosts [In reply to]
Alvaro Lopez Ortega wrote:
> On 06-jul-09, at 17:08, Michiel van Es wrote:
>
>>> However, whenever an old browser (without SNI support) accesses your
>>> server (let's say an IE 6) the SSL handshake will be perform using the
>>> default certificate. The problem is basically the timing: the first a
>>> SSL connection does is the handshake between server and client
>>> (sending/receiving the certs), and only when the secure connection is
>>> stabilised, the browser sends the HTTP request. The main problem is that
>>> the server does not know what vserver the client wants to access until
>>> it doesn't receive that HTTP request.
>>>
>>>> I mean: would you find it acceptable if you connect to a server but got
>>>> the wrong SSL certificate (a certificate of another server). What is
>>>> the
>>>> use of certificates if the name not match? And how would you tell the
>>>> difference with a man in the middle attack?
>>>
>>> It is an issue, indeed.
>>
>> Are you considering to implement the *old* setup? Binding certificates
>> to an ip-adress?
>
>
> I did. When I wrote the target_ip plug-in I thought that it'd work..
> however, I missed a little detail that rendered it useless for this sort
> of scenario.
>
> I'd agree on implementing the old method as long as it doesn't mess the
> code. I haven't found to way so far.. so I couldn't tell you for sure.
>
> Antonio worked on the cryptor-libssl plug-in for a while, and he is
> willing to check it out. Let's hope he comes up with some brilliant
> solution! :-)

That sounds amazing and would be a real help for my situation! :-)

>
> --
> Greetings, alo
> http://www.alobbs.com/

Kind regards,

Michiel

>
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee

First page Previous page 1 2 Next page Last page  View All Cherokee users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.