Bug 55407 - mod_SSL doesn't consider other vhosts with SNI, when their ServerName is identical
Summary: mod_SSL doesn't consider other vhosts with SNI, when their ServerName is iden...
Status: RESOLVED DUPLICATE of bug 43218
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-13 01:10 UTC by Christoph Anton Mitterer
Modified: 2013-08-17 01:30 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Anton Mitterer 2013-08-13 01:10:35 UTC
Hi.

Admittedly I'm not even sure whether this is an issue or not... at least I couldn't find it documented, though.

It seems that when using SNI with vhosts that have the SAME ServerName but DIFFERENT ServerAlias(es)... mod_ssl simply ignores the later defined vhosts.

E.g. consider the following:
<VirtualHost 127.0.0.1>
        ServerName a.foo.example.org
        ServerAlias *.pool.example.org

        #using some cert #1 for the above names
</VirtualHos>
<VirtualHost 127.0.0.1>
        ServerName a.foo.example.org
        ServerAlias foo.example.org

        #using some other cert #2 for the above names
</VirtualHos>


Such things can easily happen, e.g. you have pools and round robin DNS names... and want them to just use different certs (usually from different CAs), e.g. one from "public" CAs like VeriStrange™ and Thawto™ ;) ... and for the other names your organisation's own CA, which is however not globally recognised.

With the above setup I'd have expected the following to happen:
If a.foo.example.org is used,... the first defined vhost wins (as in default vhosts).... and cert #1 is used.

For *.pool.example.org cert #1 is used as well, while for foo.example.org cert #2 is used.


But Apache _always_ goes into the first vhost and gives me cert #1.


Now a obvious workaround is to simply make the 2nd vhost like this:
<VirtualHost 127.0.0.1>
        ServerName foo.example.org

        #using some other cert #2 for the above names
</VirtualHos>
i.e. changing the ServerName.

This however has the drawback, that the other name is also used in all places like error pages, etc.
So while I might offer people to use another certificate... I may still want them to see the "canonical" server name for that other certificate as well, which in the example above was intended to be a.foo.example.org.


Cheers,
Chris.
Comment 1 Eric Covener 2013-08-13 02:13:13 UTC
A test config chases the alias for me

*** This bug has been marked as a duplicate of bug 43218 ***
Comment 2 Eric Covener 2013-08-13 02:13:42 UTC
(In reply to Eric Covener from comment #1)
> A test config chases the alias for me
> 
> *** This bug has been marked as a duplicate of bug 43218 ***

Ignore the half of a comment, found the dup and lost that part of my screen
Comment 3 Christoph Anton Mitterer 2013-08-17 01:30:45 UTC
Uhm... what?