| Author |
Message |
< Yaws mailing list ~ multiple virtualhosts with ssl on the same IP |
| Guest |
 Posted: Tue Sep 29, 2009 9:35 am |
 |
|
|
Guest
|
Hi,
As written in the yaws.conf documentation :
"Yaws can virthost several webservers on the same ip address as well as
several webservers on different ip addresses. The one limitation here
is that there can be only one server with ssl enabled per each individ-
ual ip address."
In my quest for understanding yaws, I'm trying something like that to bypass this limit (I introduce a new configuration
paramater sslvirtual) :
<server www.funky.org>
port = 443
listen = 192.168.128.32
docroot = /var/yaws/www_funky_org
<ssl>
keyfile = /etc/funky.key
certfile = /etc/funky.cert
</ssl>
</server>
<server funky.org>
port = 443
listen = 192.168.128.32
sslvirtual = true
docroot = /var/yaws/www_funky_org
<ssl>
keyfile = /etc/funky.key
certfile = /etc/funky.cert
</ssl>
</server>
with this paramater, funky.org is not bind on the socket {192.168.128.32,443} but added in the group
of #sconf corresponding to the first server (same socket) (like in normal HTTP) . The pick_sconf function in ssl context
do now the same thing that in plain context, by comparing Host header to find the good #sconf.
For the test I added the sslvirtual in #sconf.soptions field. All modifications are done in yaws_server (SSL configuration must be strictly identical, otherwise we need to modify yaws_config:search_sconf ,
because, the search uses "listen,port,ssl,severname" fields).
Details :
yaws_server:do_listen(SC,GC) checks if the sslvirtual flag is set in the #sconf.
if yes, instead of try to bind a socket on {Ip,Port} we just return {nossl,undefined,sslvirtual};
yaws_server:gserv(Top, GC, Group0) check is we do_listen returns something like {_,_,sslvirtual}
if yes, gserv/3 do an proc_lib:init_ack(sslvirtual)
yaws_server:start group receive the sslvirtual and do nothing (return false) (it's like the same case that when failonbind is set to false)
pick_sconf in SSL context do the same thing that pick_sconf without SSL
For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts).
Seems to work.
Did I Miss Something ?
wde
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Tue Sep 29, 2009 8:22 pm |
|
|
|
Guest
|
wde wrote:
>
> For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts).
>
So this is the problem - the certificate must be sent on the socket before
we get the Host header.
I honestly don't see any real use of this feature since I don't believe
browsers support this - at least they didn't - has this changed ?
/klacke
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Tue Sep 29, 2009 9:28 pm |
|
|
|
Guest
|
I can't estimate the support of this extension by the browsers, but seems to work for FX 2.0 and IE 6.0.
I got this extension in the google.com certificate :
X509v3 Subject Alternative Name:
DNS:google.com, DNS:*.google.com
In fact in a case where I have only one server and one IP, and I would like to serve https://www.mydomain.com and https://mydomain.com
I tried this "trick" :+)
======= le 29/09/2009, 22:20:27 vous |
|
|
| Back to top |
|
| Guest |
| Posted: Wed Sep 30, 2009 6:40 am |
|
|
|
Guest
|
|
| Back to top |
|
| tobbe |
| Posted: Wed Sep 30, 2009 7:17 am |
|
|
|
User
Joined: 19 Jan 2005
Posts: 274
Location: Stockholm, Sweden
|
|
| Back to top |
   
|
| Guest |
| Posted: Wed Sep 30, 2009 2:04 pm |
|
|
|
Guest
|
wde wrote:
> I found this article :
>
> http://wiki.cacert.org/VhostTaskForce#Interoperability_Test
>
Ok - interesting. It appears I was wrong, good.
So it's the last column in the table that works on
all browsers. CN + SubjAltName
How do you generated the cert you use?
Does anyone know if CAs will accept CSRs with
these attributes set? If they don't all this is also moot.
/klacke
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post received from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Wed Sep 30, 2009 3:25 pm |
|
|
|
Guest
|
In my openssl.cnf file I have the the following sections for the subject alternative names
[sslserver]
...
subjectAltName = @aliases
[aliases]
DNS.1 = bla.com
DNS.2 = super.bla.com
To generate keys :
openssl req -new -config ./openssl.cnf -newkey rsa:1024 -nodes -keyout yaws.ppk -out yaws.csr
To sign the CSR with the extensions :
openssl ca -config ./openssl.cnf -extensions sslserver -in yaws.csr -out yaws-cert.pem
======= le 30/09/2009, 16:03:11 vous |
|
|
| Back to top |
|
| Guest |
| Posted: Sat Oct 03, 2009 8:41 pm |
|
|
|
Guest
|
wde wrote:
> In my openssl.cnf file I have the the following sections for the subject alternative names
Ok - I'm happy - all this looks good and I'd be happy to
include this - how do you want to proceed .. maybe we should
take this off list?
/klacke
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Erlyaws-list mailing list
Erlyaws-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/erlyaws-list
Post received from mailinglist |
|
|
| Back to top |
|
| wuji |
| Posted: Mon Aug 20, 2012 6:32 am |
|
|
|
User
Joined: 10 Aug 2012
Posts: 654
|
pennies in a box downstairs, Daigle would keep a scrap scrap knockoff designer *beep* scrap of paper with a running tab of the amount
rolls stored in the boxes downstairs."After a few years of of cheap Ralph Lauren of rolling pennies, I said this is a doable thing
pay my mortgage off in pennies," said Daigle.In April, the the [h1]knockoff designer *beep*[/h1] the co-owner of Joseph and Thomas Opticians brought the
of pennies around to the back at Milford Federal Savings Savings cheap Ralph Lauren Savings and Loan Association and made his final payment on
35th wedding anniversary.Daigle warned the bank before coming in with with cheap designer *beep* with the coppers. A long-time customer, Daigle opened a savings
at the bank when he was 10 years old using using cheap replica *beep* using money he made from mowing lawns. At the time,
of his lawn customers was a teller named Mary, who who cheap jordans who worked at the bank."When it was time to get |
|
|
| Back to top |
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
