DevHeads.net

CentOS 6, Apache 2.2.15 and SNI?

Hello,

is Apache 2.2 which is part of the CentOS distribution capable of SNI?

I have troubles that are coming from server side (CentOS 6.8, Apache 2.2.15)
just did 'yum update'

in
/etc/httpd/conf/httpd.conf

I've the following

NameVirtualHost ipaddr:443

Include /etc/httpd/conf/vhosts/vhost-ssldom1-box.conf
Include /etc/httpd/conf/vhosts/vhost-ssldom2-box.conf

both 'vhost'-files are like this:

<VirtualHost ipaddr:443>
ServerAdmin webmaster@domain#.com

ServerName vhost.domain#.com:443
ServerAlias box.domain#.com:443
ServerAlias calcbox.domain#.com:443
ServerAlias proxybox.domain#.com:443

...
SSLEngine on

SSLStrictSNIVHostCheck on

SSLCertificateFile /etc/httpd/conf/ssl.crt/domain#-host.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domain#-host.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/server-chain.crt

...
</VirtualHost>

only
<a href="https://domain1.com/" title="https://domain1.com/">https://domain1.com/</a>...
works
<a href="https://domain2.com/" title="https://domain2.com/">https://domain2.com/</a>...
results in a certificate CN mismatch ...

what is missing in my config.?

Thanks,
Walter

Comments

Re: CentOS 6, Apache 2.2.15 and SNI? Solved ...

By Walter H. at 11/21/2016 - 13:40

It is solved, I don't know why but
SNI works only with hosts that are
declared with ServerName
and not with ServerAlias

so I did the following ...

I made an include file that contained everything of the virtualhost
except the ServerAdmin and ServerName declarations
and did this:

<VirtualHost ipaddr:443>
ServerAdmin webmaster@domain#.com
ServerName vhost.domain#.com:443
Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl
</VirtualHost>

<VirtualHost ipaddr:443>
ServerAdmin webmaster@domain#.com
ServerName box.domain#.com:443
Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl
</VirtualHost>

<VirtualHost ipaddr:443>
ServerAdmin webmaster@domain#.com
ServerName calcbox.domain#.com:443
Include /etc/httpd/conf/vhosts/vhost-ssldom#-box.incl
</VirtualHost>

...

Greetings,
Walter

On 20.11.2016 18:24, Walter H. wrote:

Re: CentOS 6, Apache 2.2.15 and SNI?

By David Nelson at 11/20/2016 - 12:33

It doesn't appear you have a ServerName or ServerAlias for the naked domains (sans subdomain), so they're both being answered by the first VirtualHost entry?

Re: CentOS 6, Apache 2.2.15 and SNI?

By Walter H. at 11/20/2016 - 12:43

On 20.11.2016 18:33, David Nelson wrote:
meant

<a href="https://box.domain1.com" title="https://box.domain1.com">https://box.domain1.com</a> works
but
<a href="https://box.domain2.com" title="https://box.domain2.com">https://box.domain2.com</a> results in 'Certificate name mismatch'

Thanks,
Walter