Forum
Serving only some vhosts with TLS (SNI)
David Oliver
10 September 2015, 00:09
Hi Hugo,
I found out tonight that the TLS/443 binding must have a TLScertFile set in order for other vhosts which use other SSL certificates to work over TLS.
In the second of the above two scenarios, Firefox reports:
Is that expected behaviour?
As it stands, I think it's not possible to set vhosts that don't have SSL certificates to explicitly not use TLS, because the binding's TLScertFile will apply to them. In Firefox's words:
Is it possible to use TLS with selected vhosts without all other vhosts being set to use the binding's default cert?
I found out tonight that the TLS/443 binding must have a TLScertFile set in order for other vhosts which use other SSL certificates to work over TLS.
Binding with TLScertFile + VirtualHost with TLScertFile = VirtualHost https success
Binding without TLScertFile + VirtualHost with TLScertFile = VirtualHost https fail
In the second of the above two scenarios, Firefox reports:
Secure Connection Failed
An error occurred during a connection to amigochem.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
An error occurred during a connection to amigochem.com. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
Is that expected behaviour?
As it stands, I think it's not possible to set vhosts that don't have SSL certificates to explicitly not use TLS, because the binding's TLScertFile will apply to them. In Firefox's words:
www.domain-without-cert.com uses an invalid security certificate.
The certificate is only valid for the following names:
www.domain-with-cert.com
(Error code: ssl_error_bad_cert_domain)
The certificate is only valid for the following names:
www.domain-with-cert.com
(Error code: ssl_error_bad_cert_domain)
Is it possible to use TLS with selected vhosts without all other vhosts being set to use the binding's default cert?
Hugo Leisink
10 September 2015, 07:59
Hi David. Setting the TLScertFile in a binding makes it a HTTPS binding. Just setting the port to 443 is not enough. It's just a port number. It requires a certificate in case a client doesn't support SNI. In that case the per-virtual-host certificates are not addressed and Hiawatha needs to fall back to a default certificate, which is the one specified in the binding section. I hope I made this clear enough. If not, just let me know.
DavidOliver
10 September 2015, 10:19
I see - I thought there might well be a reason. Thanks for clarifying.
So if I don't want visitors to a non-TLS site who incorrectly use the https protocol to see which domain(s) the server's default certificate is for, they should instead be running on a server that doesn't use TLS at all. I'm planning on all sites using TLS before too long anyway, but it's good to know what the expected behaviour is nonetheless.
So if I don't want visitors to a non-TLS site who incorrectly use the https protocol to see which domain(s) the server's default certificate is for, they should instead be running on a server that doesn't use TLS at all. I'm planning on all sites using TLS before too long anyway, but it's good to know what the expected behaviour is nonetheless.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
