[Modules] mod_gnutls and domains without its settings

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Aug 5 15:15:12 EDT 2010


If I understand correctly you want to redirect https requests to http
if the virtual host doesn't exist. You cannot do that, or more
precisely you cannot do that before the user is presented with a
certificate. Once the server knows that a virtual host doesn't exist
the TLS connection has started, and thus will be completed using the
default first certificate. The best thing you could do is to reject
those clients completed (by having a default site that doesn't support
any ciphersuites), or by redirecting after the handshake has been
completed and the client has been presented with the default
certificate.

regards,
Nikos

On Thu, Aug 5, 2010 at 2:53 PM, Davide Mirtillo <davide at ser-tec.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Il 04/08/2010 12:20, Nikos Mavrogiannopoulos ha scritto:
>> On Wed, Aug 4, 2010 at 11:29 AM, Davide Mirtillo <davide at ser-tec.org> wrote:
>>
>>> Replacing _default_ with the network ip seems to work, but with both
>>> your rewrite rule and mine i am now getting this error from the browser:
>>> ssl_error_rx_record_too_long
>>
>> Most probably you didn't enable TLS for this host. You can verify that
>> by connecting with normal HTTP url.
>
> That's correct, i did not add any virtual host for port 443, but that
> was kind of the issue i am having, meaning that i'm trying to create a
> default config to be used whenever the websites have no SSL virtual host
> defined, ie redirect them to plain http.
>
> That configuration which was giving me the error above (the one that
> uses IP:443 as VirtualHost) is also breaking the virtual hosts of the
> sites i put the correct certificates in.
>
> - --
> Davide Mirtillo
> EV Network, Via Emilio Salgari 14/e
> 31056 Roncade (TV), Italy
> Phone/Fax +390422798184 VAT IT02443090267
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxatDkACgkQKhoNWaTioeayBgCgn+02V03jEb45i4uEDYn2Ao9Z
> ya8AnA77r54EYfu/tbzQc+HOq84ntrbI
> =+Anf
> -----END PGP SIGNATURE-----
>


More information about the Modules mailing list