[Modules] mod_gnutls and domains without its settings

Davide Mirtillo davide at ser-tec.org
Tue Aug 3 08:51:08 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Il 03/08/2010 11:00, Simon Josefsson ha scritto:
>>>> I'm having a strange issue, though. If i try to visit a domain that has
>>>> no virtual host entry for the https connection, apache is displaying the
>>>> site with the ssl certificate of the first domain i specified on the ssl
>>>> virtualhost config file.
>>>>
>>>> Is there any way i can stop this behaviour? I thought about adding a
>>>> permanent redirect on every domain that does not have a ssl vhost, but
>>>> i'd rather see what other options i have before doing that.
>>>
>>> I don't know how to solve this, but how does mod_ssl handle this?
>>> Assuming mod_ssl supports SNI at all, that is, I know it didn't for a
>>> long time but maybe that has changed.
>>
>> I think SNI has been introduced for mod_ssl into newer packages, (i.e.
>> in the testing/unstable repos) but running a mixed debian system could
>> be troublesome in a production enviroment. I haven't tried mod_ssl
>> because of that. I don't know if this issue is caused by my mod_gnutls
>> config or if it's an error on my apache config. Am i supposed to
>> declare a corresponding https virtual host for every plain http one?
> 
> I didn't say you should use mod_ssl instead. :-) Just curious how it
> solved the same problem.  FWIW, I've seen your problem too, and never
> resolved it.  It may be possible to do with configuration, but I'm not
> certain what the best recommended approach should be.  It would be nice
> to be able to declare which virtual server should be the "catch-all" SSL
> server.
> 
> However, can't you just make sure the first SSL virtualhost server is a
> "catch-all" server?

Thanks for the tip.

I decided to try with a _default_:443 virtual host [1], inserting the
following entry as default:

<VirtualHost _default_:443>
        RewriteEngine On
        RewriteCond %{HTTPS} ON
        RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

But it doesn't seem to do the job, i still get the wrong certificate (i
don't even get why the RewriteRule isn't working).

I guess i'll just create a script to create the right https vhosts
paired up with the http ones.

If anyone has better options, i'm all ears.

[1] http://httpd.apache.org/docs/2.2/vhosts/examples.html#default

- -- 
Davide Mirtillo
EV Network
Via Emilio Salgari 14/e 31056 Roncade (TV), Italy
Phone/Fax +390422798184 P.IVA 02443090267
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxYELwACgkQKhoNWaTioeZSvgCdGB1KZMJOC5kggFPwM1S1p5GX
CbAAnjTAqaCSI/s3smOzDb+v3Vyj1S/h
=MBT0
-----END PGP SIGNATURE-----


More information about the Modules mailing list