Apache 2.2 and Server Name Indication

Greetings. I have two SSL sites configured under apache2, webmail.derfy.net and webmail.mmorpgmarketplace.com. Sites have self-signed certs. Server version info:````
[Thu Jan 13 09:40:08 2011] [notice] Graceful restart requested, doing restart
[Thu Jan 13 09:40:14 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu Jan 13 09:40:14 2011] [notice] Apache/2.2.12 (Ubuntu) PHP/5.2.10-2ubuntu6.6 with Suhosin-Patch mod_ssl/2.2.12 OpenSSL/0.9.8g configured -- resuming normal operations

With both sites enabled, <url url="https://webmail.derfy.net">https://webmail.derfy.net</url> works as expected (manually adding the cert, of course). Attempting to visit <url url="https://webmail.mmorpgmarketplace.com">https://webmail.mmorpgmarketplace.com</url> however brings errors in IE 8 and Chrome 8 claiming the site is webmail.mmorpgmarketplace.com, but presents a cert for webmail.derfy.net. Firefox 3.6.7 works as expected, using the proper cert for both sites.

What, if anything, am I doing wrong?

[email protected]:/etc/apache2/sites-available# cat webmail.derfy.net````
 <virtualhost *:443="">DocumentRoot /var/www/root/webmail.derfy.net
ServerName webmail.derfy.net
SSLEngine On
SSLCertificateFile /etc/apache2/keys/webmail.crt
SSLCertificateKeyFile /etc/apache2/keys/webmail.key</virtualhost> 

–------

[email protected]:/etc/apache2/sites-available# cat webmail.mmorpgmarketplace.com <virtualhost *:443="">DocumentRoot /var/www/root/webmail.mmorpgmarketplace.com ServerName webmail.mmorpgmarketplace.com SSLEngine On SSLCertificateFile /etc/apache2/keys/webmail.mmp.crt SSLCertificateKeyFile /etc/apache2/keys/webmail.mmp.key</virtualhost>

13 Replies

What version of Windows are you using for these tests? Browsers running under Windows XP don't support SNI.

Edit: I should have specified which browsers I was referring to; this would be any version of IE under Windows XP (ref: http://en.wikipedia.org/wiki/ServerNameIndication).

I don't have a Windows 7 instance handy at the moment, but both Firefox 3.6.13 and Safari 5.0.3 on Mac OS X show the correct name on each certificate, so I'm at a bit of a loss as to where the problem might be.

I've tried https://webmail.mmorpgmarketplace.com and it shows webmail.mmorpgmarketplace.com certificate with FF 3.6.13, IE 8 and Chrome 8 under Win 7 x64.

Just tried it and Chrome popped up: This is probably not the site you are looking for! You attempted to reach webmail.mmorpgmarketplace.com, but instead you actually reached a server identifying itself as webmail.derfy.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of webmail.mmorpgmarketplace.com. You should not proceed.

Uninstalled both certs from Chrome, and tried mmo again, and it still presents webmail.derfy.net's cert. Is it just a problem on my end?

Edit: I should note that with webmail.derfy.net disabled mmorpgmarketplace.com works fine. With both enabled, I get the described behavior.

Edit2: I tried a test site (https://alice.sni.velox.ch/) and got this:

Unfortunately, your client [Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10] did not send a TLS server name indication extension (RFC 4366) in its ClientHello (negotiated protocol: TLSv1), so you're probably getting warnings about certificate name mismatches.

And fixed. Unchecked 'Use SSL 2.0' in Chrome options. Sheesh, I'm an idiot.

EDIT: OP has fixed it ^^

@derfy:

And fixed. Unchecked 'Use SSL 2.0' in Chrome options. Sheesh, I'm an idiot.

It might be worth noting that "Use SSL 2.0" is disabled by default in Chrome ;)

I think I enabled it under the famous 'more options = more better' mindset. :(

Crappy old crypto protocols = less better. That's why it's off by default.

I'm surprised Chrome still supports it at all; Firefox completely removed it a while back.

I think the confusion comes from lack of helpfiles. How should the end-user know that SSL 2.0 is old?

A few strong indications that SSL 2.0 ought not be used would include the fact that it isn't checked by default, appears immediately next to "SSL 3.0", and a Google search for "SSL 2.0" finds the following phrases in the text summaries:

"…SSL 2.0 has a weak MAC construction…"

"…Windows Server 2008 using IIS 7 allows SSL 2.0 by default. Unfortunately, this means you will fail a PCI Compliance scan…"

"…Firefox 2, no longer allows you to enable SSL 2 encryption protocols due to the fact SSL 2 is not very secure…"

"…why we didn't implement SSL 2.0 in the library. There are several reasons, most important being that it has serious security…"

Aside from, of course, the following in the Chrome help files:

http://www.google.com/support/chrome/bi … swer=95572">http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95572

Check for certificate revocation is unchecked by default - does checking it hurt security?

Also, it'd be nice if google helpfiles launched from either F1, right-click help, a tooltip, or a questionmark on the upper-right. Any one of the standard ways to get to a helpfile from within a dialog would be nice.

Change to 'Use SSL 2.0 (not recommended)' with a link to why.

Or even 'Use legacy SSL' would hint most users that it should remain unchecked.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct