Multiple https certs doesn't work
Added by hvdkamer almost 15 years ago
In Lighttpd 1.4.24 the TLS SNI extension is added. Today I tried to test this, but it is partially working. Part of the config:
$SERVER["socket"] == "0.0.0.0:443" { ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/test.hetlab.tk.pem" ssl.ca-file = "/etc/lighttpd/ca.crt" ... $HTTP["host"] == "skinnen.hetlab.tk" { ssl.pemfile = "/etc/lighttpd/skinnen.hetlab.tk.pem"
In ca.crt the StartSSL intermediate certificate and root certificate are added. As said it is partially working:
asterix:/etc/lighttpd# openssl s_client -CAfile ca.crt -connect localhost:443 -servername skinnen.hetlab.tk CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify return:1 depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 /description=113761-t36RrRcvsu9Jw9mq/C=NL/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=skinnen.hetlab.tk/emailAddress=henk@vandekamer.(nospam)com verify return:1 asterix:/etc/lighttpd# openssl s_client -CAfile ca.crt -connect localhost:443 -servername test.hetlab.tk CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify return:1 depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 /description=113757-vVM96CaNCmVB7a03/C=NL/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=test.hetlab.tk/emailAddress=henk@vandekamer.(nospam)com verify return:1 asterix:/etc/lighttpd# openssl s_client -CAfile ca.crt -connect localhost:443 -servername skinnen.hetlab.tk CONNECTED(00000003) depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify return:1 depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 /description=113757-vVM96CaNCmVB7a03/C=NL/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=test.hetlab.tk/emailAddress=henk@vandekamer.(nospam)com verify return:1
So the first attempt works, but after that only the test.hetlab.tk certificate is used until a restart of Lighttpd. Then it works exactly one time. So this isn't very usefull :-). Is my configuration faulty? Or is this a bug? Can someone confirm this?
Replies (11)
RE: Multiple https certs doesn't work - Added by stbuehler almost 15 years ago
I guess this looks like a real bug - so it would be nice if you create an issues for it (so i don't forget to have a closer look at it :))
It would be helpful if you could provide a small "real" config you used to reproduce it.
RE: Multiple https certs doesn't work - Added by stbuehler almost 15 years ago
Oh sry, did you say 1.4.24? Fixed in 1.4.25: "reset tlsext_server_name in connection_reset - fixes random hostnames in the $HTTP["host"] conditional"
RE: Multiple https certs doesn't work - Added by hvdkamer almost 15 years ago
I use 1.4.25. The 1.4.24 I mentioned was the version in which this functionality was introduced:
asterix:~$ wget -S localhost --2009-12-15 20:32:04-- http://localhost/ Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... HTTP/1.0 200 OK X-Powered-By: PHP/5.3.1 Content-type: text/html; charset=utf-8 Content-Length: 31 Connection: keep-alive Date: Tue, 15 Dec 2009 19:32:04 GMT Server: lighttpd/1.4.25
May be the fix in 1.4.25 is not enough? I checked the patch for 1.4.24 and 1.5.0 and that last one changes more files. However I'm not a programmer, so the differences could be normal :-).
RE: Multiple https certs doesn't work - Added by hvdkamer almost 15 years ago
Ie checked 1.5.0 revison 2700 out of the repository, compiled and installed it on a identical server and configuration. I randomly did 100 requests as follows:
ve70:/etc/lighttpd# echo "GET / HTTP/1.1" | openssl s_client -CAfile ca.crt -connect localhost:443 -servername xxx.hetlab.tk 2>&1 | grep -E '^subject' | sed -re 's/.*CN=([^/]*).*/\1/'
That line gives the CN from the certificate and in all cases it matches with the requested xxx. In 1.4.25 -- sometimes a few more request seems to go okay -- it goes wrong the moment you request the website with the default certificate. So I'm almost sure this is a bug in version 1.4.25 and if you agree I will report it as such.
RE: Multiple https certs doesn't work - Added by digital almost 15 years ago
I can confirm this is the same issue for myself [running 1.4.25 and 1.4.x SVN of 12/23]. Please proceed with opening a ticket.
RE: Multiple https certs doesn't work - Added by dbb almost 15 years ago
Was an issue created for this? I'd like to watch it.
RE: Multiple https certs doesn't work - Added by nitrox almost 15 years ago
Nope, and as that we just ignore this :-)
Please create a new ticket and add yourself to the followers.
RE: Multiple https certs doesn't work - Added by dbb almost 15 years ago
nitrox wrote:
Nope, and as that we just ignore this :-)
Please create a new ticket and add yourself to the followers.
RE: Multiple https certs doesn't work - Added by hvdkamer almost 15 years ago
Thanks for creating the ticket.
The last fortnight I was busy with another posible solution too this problem. The Strato rootservers now have IPv6 :-). I had a few problems with some of the examples, but I now have a working solution. And Lighttpd is now a IPv6 proxy for websites which are hosted on servers who only have IPv4.
RE: Multiple https certs doesn't work - Added by digital almost 15 years ago
Followed up on the ticket opened, curious to find out where we are with the problem?
RE: Multiple https certs doesn't work - Added by stbuehler almost 15 years ago
I have still no idea why it fails.