Resolving multiple apache name-based virtual host with sslApache 2.2.14: SSLCARevocation locationSSL, Apache, and Subdomains on a Static IPfirst time setting up ssl, tutorials haven't been too helpfulProblems with multiple SSL on same IP, but only in select clientsApache Virtual Hosts Not WorkingVirtual hosts with port 80 & 443 not workingsetting up multiple ssl certificates on same server/ip on CENTOs with apache 2.2Unbuntu server running Apache with an SSL Cert IssueMy SSL configuration aren't working. Ubuntu apache 2.4ServerAlias without www not working on SSL virtualhost

How many chess players are over 2500 Elo?

Should I disclose a colleague's illness (that I should not know about) when others badmouth him

Is there a down side to setting the sampling time of a SAR ADC as long as possible?

Is it ok to put a subplot to a story that is never meant to contribute to the development of the main plot?

Why does the 6502 have the BIT instruction?

Is this resistor leaking? If so, is it a concern?

Would the Geas spell work in a dead magic zone once you enter it?

Mother abusing my finances

What are the benefits of cryosleep?

How can people dance around bonfires on Lag Lo'Omer - it's darchei emori?

Why do Russians call their women expensive ("дорогая")?

Why do airplanes use an axial flow jet engine instead of a more compact centrifugal jet engine?

Where is the logic in castrating fighters?

How to prevent bad sectors?

How can I find where certain bash function is defined?

Is there a general effective method to solve Smullyan style Knights and Knaves problems? Is the truth table method the most appropriate one?

Ticket sales for Queen at the Live Aid

How do you say “buy” in the sense of “believe”?

How does an ARM MCU run faster than the external crystal?

Graph with same number of edges and vertices is a loop?

Is using the CH340G on a commercial product a horrible idea?

What is the difference between nullifying your vote and not going to vote at all?

Apparent Ring of Craters on the Moon

Is there any use case for the bottom type as a function parameter type?



Resolving multiple apache name-based virtual host with ssl


Apache 2.2.14: SSLCARevocation locationSSL, Apache, and Subdomains on a Static IPfirst time setting up ssl, tutorials haven't been too helpfulProblems with multiple SSL on same IP, but only in select clientsApache Virtual Hosts Not WorkingVirtual hosts with port 80 & 443 not workingsetting up multiple ssl certificates on same server/ip on CENTOs with apache 2.2Unbuntu server running Apache with an SSL Cert IssueMy SSL configuration aren't working. Ubuntu apache 2.4ServerAlias without www not working on SSL virtualhost






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I have the following configurations in my httpd-ssl.conf



NameVirtualHost *:8443

<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>


When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?



Response to @Nic regarding SNI:



I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.



This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...



Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?



Thanks



Response to @dave_thompson_085:



Thanks, I tried the following configuration, and also cleared the browser cache:



NameVirtualHost _default_:8443

# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>

# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>

# Other virtual hosts like www.domain2.com


When I access https://www.domain2.com, this is what I get in the error_log_ssl:



[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)


Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?



Thanks so much for your help!






ssl apache-2.4 virtualhost







share|improve this question
























  • The state machine names SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...

    – dave_thompson_085
    Oct 14 '17 at 4:39












  • ... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.

    – dave_thompson_085
    Oct 14 '17 at 4:39


















0















I have the following configurations in my httpd-ssl.conf



NameVirtualHost *:8443

<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>


When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?



Response to @Nic regarding SNI:



I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.



This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...



Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?



Thanks



Response to @dave_thompson_085:



Thanks, I tried the following configuration, and also cleared the browser cache:



NameVirtualHost _default_:8443

# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>

# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>

# Other virtual hosts like www.domain2.com


When I access https://www.domain2.com, this is what I get in the error_log_ssl:



[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)


Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?



Thanks so much for your help!






ssl apache-2.4 virtualhost







share|improve this question
























  • The state machine names SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...

    – dave_thompson_085
    Oct 14 '17 at 4:39












  • ... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.

    – dave_thompson_085
    Oct 14 '17 at 4:39














0












0








0


1






I have the following configurations in my httpd-ssl.conf



NameVirtualHost *:8443

<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>


When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?



Response to @Nic regarding SNI:



I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.



This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...



Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?



Thanks



Response to @dave_thompson_085:



Thanks, I tried the following configuration, and also cleared the browser cache:



NameVirtualHost _default_:8443

# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>

# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>

# Other virtual hosts like www.domain2.com


When I access https://www.domain2.com, this is what I get in the error_log_ssl:



[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)


Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?



Thanks so much for your help!






ssl apache-2.4 virtualhost







share|improve this question
















I have the following configurations in my httpd-ssl.conf



NameVirtualHost *:8443

<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain1.com/
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
Redirect permanent / http://www.domain2.com/
</VirtualHost>


When I enter into the browser a url like https://www.domain2.com/resource-under-sub.domain1.com, it actually goes to the path https://sub.domain1.com/resource-under-sub.domain1.com instead of redirecting to http://www.domain2.com. What is wrong with my settings?



Response to @Nic regarding SNI:



I checked my Apache, and from https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI it looks SNI is enabled from the log message:
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366). I was also using Firefox 56 which should support SNI from https://www.kinamo.be/en/support/faq/which-browsers-support-server-name-indication-sni. However, when I go to the url for the second virtual host it still takes me to the first default virtual host.



This https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI and this https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol suggest for Apache 2.4 (which I am running), that the default setting supports TLSv1 and SNI. In my error and ssl logs, it does not show any records for my requests to the second virtual host, although it does for other hosts, e.g. No matching SSL virtual host for servername other.domain1.com found (using default/first virtual host) and these are using SSLv3 as seen from the message OpenSSL: Loop: SSLv3 read client hello A. However I can also see from the ssl request logs that TLSv1 is being used for some resources: TLSv1 AES128-SHA "GET /javax.faces.resource/theme.css.seam...



Do I need to explicit specify using TLSv1 in the configuration SSLProtocol +TLSv1?



Thanks



Response to @dave_thompson_085:



Thanks, I tried the following configuration, and also cleared the browser cache:



NameVirtualHost _default_:8443

# Default virtual host and catch all
<VirtualHost _default_:8443>
ServerName www.domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv3
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain1.com/
</VirtualHost>

# This is the only virtual host name that should handle the ssl
<VirtualHost _default_:8443>
ServerName sub.domain1.com
ServerAlias sub2.domain1.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# some other settings...
</VirtualHost>

<VirtualHost _default_:8443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine on
SSLCertificateFile "/path/to/file.crt"
SSLCertificateKeyFile "/path/to/file.key"
SSLCertificateChainFile "/path/to/chainFile.crt"
# I want to redirect the https to http
Redirect permanent / http://www.domain2.com/
</VirtualHost>

# Other virtual hosts like www.domain2.com


When I access https://www.domain2.com, this is what I get in the error_log_ssl:



[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1830): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0000: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0010: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0020: ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | 0060: ... www.domain2.com |
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1869): | ...
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_io.c(1875): +------------------------------+
[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1987): [client 207.46.13.160] SSL virtual host for servername www.domain2.com found
**[Mon Oct 16 08:10:07 2017] [debug] ssl_engine_kernel.c(1274): [client 207.46.13.160] handing out temporary 1024 bit DH key
**[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] (70014)End of file found: SSL input filter read failed.
[Mon Oct 16 08:10:07 2017] [info] [client n1.n2.n3.n4] Connection closed to child 199 with standard shutdown (server www.domain2.com:443)


Lines marked ** only occur sometimes. It seems like SSL named virtual host is working from the line SSL virtual host for servername www.domain2.com found. In the browser, it shows that the certificate is unsafe because it doesn't match the serverName, and if I don't accept the certificate, then it doesn't go further, which is fair enough. But if I accept the certificate, it still gets redirected to sub.domain1.com, the site that truly handles the SSL. Why doesn't it redirect to www.domain2.com as specified in the settings?



Thanks so much for your help!






ssl apache-2.4 virtualhost




ssl apache-2.4 virtualhost






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 16 '17 at 15:42







clarinet

















asked Sep 29 '17 at 18:29









clarinetclarinet

12




12












  • The state machine names SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...

    – dave_thompson_085
    Oct 14 '17 at 4:39












  • ... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.

    – dave_thompson_085
    Oct 14 '17 at 4:39


















  • The state machine names SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...

    – dave_thompson_085
    Oct 14 '17 at 4:39












  • ... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.

    – dave_thompson_085
    Oct 14 '17 at 4:39

















The state machine names SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...

– dave_thompson_085
Oct 14 '17 at 4:39






The state machine names SSLv3 read client hello etc don't indicate the protocol version because the same state machine is used for SSL3 and TLS1.0-1.2; OpenSSL 1.1.0 (belatedly) changes them to the clearer SSLv3/TLS. SSLv3 is now broken (POODLE) and should not be used; most browsers/clients that will connect to you already refuse it, but to be on the safe side, and satisfy auditors etc who just scan, you should reject it also, which up to 2.4.16 needs SSLProtocol all -SSLv3 (after that it's the default). You definitely should allow TLSv1.1 and especially 1.2 which is better. ...

– dave_thompson_085
Oct 14 '17 at 4:39














... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.

– dave_thompson_085
Oct 14 '17 at 4:39






... If you're not getting any log records perhaps your browser (or other middleware like an HTTPS-intercepting proxy or filter) is caching; make sure everything is cleared, or try a new browser and/or new device and/or a standalone tool like curl.

– dave_thompson_085
Oct 14 '17 at 4:39











1 Answer
1






active

oldest

votes


















0














With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.



A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).



In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f876196%2fresolving-multiple-apache-name-based-virtual-host-with-ssl%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.



    A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).



    In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.






    share|improve this answer



























      0














      With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.



      A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).



      In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.






      share|improve this answer

























        0












        0








        0







        With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.



        A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).



        In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.






        share|improve this answer













        With regular Apache and SSL certificates, you cannot do that. The negotiation of SSL is done before the name virtual hosting. So the basic answer is to get one IP per site.



        A couple years ago certificates and browser started supporting SNI to get around that limit. Look up SNI (Server Name Indication). The majority of recent browsers support that now. But beware that users with old browsers will not be able to access all your sites (well actually they will always try to access the first VirtualHost defined in your configuration, which is the default chosen when name virtual hosting does not work).



        In your question you say that are are always sent to sub-domain1, which is logical, since it takes the first VirtualHost found, as I just explained above.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Sep 29 '17 at 18:39









        Nic3500Nic3500

        1416




        1416



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f876196%2fresolving-multiple-apache-name-based-virtual-host-with-ssl%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

            Image
            centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
            Read more

            Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

            Image
            AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
            Read more

            What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

            Image
            When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
            Read more