Project

General

Profile

Multiple https certs doesn't work

Added by hvdkamer over 14 years ago

In Lighttpd 1.4.24 the TLS SNI extension is added. Today I tried to test this, but it is partially working. Part of the config:

$SERVER["socket"] == "0.0.0.0:443" {
  ssl.engine                  = "enable" 
  ssl.pemfile                 = "/etc/lighttpd/test.hetlab.tk.pem" 
  ssl.ca-file                 = "/etc/lighttpd/ca.crt" 

...

$HTTP["host"] == "skinnen.hetlab.tk" {
  ssl.pemfile = "/etc/lighttpd/skinnen.hetlab.tk.pem" 

In ca.crt the StartSSL intermediate certificate and root certificate are added. As said it is partially working:

asterix:/etc/lighttpd# openssl s_client -CAfile ca.crt -connect localhost:443 -servername skinnen.hetlab.tk
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 /description=113761-t36RrRcvsu9Jw9mq/C=NL/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=skinnen.hetlab.tk/emailAddress=henk@vandekamer.(nospam)com
verify return:1

asterix:/etc/lighttpd# openssl s_client -CAfile ca.crt -connect localhost:443 -servername test.hetlab.tk
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 /description=113757-vVM96CaNCmVB7a03/C=NL/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=test.hetlab.tk/emailAddress=henk@vandekamer.(nospam)com
verify return:1

asterix:/etc/lighttpd# openssl s_client -CAfile ca.crt -connect localhost:443 -servername skinnen.hetlab.tk
CONNECTED(00000003)
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify return:1
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 /description=113757-vVM96CaNCmVB7a03/C=NL/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=test.hetlab.tk/emailAddress=henk@vandekamer.(nospam)com
verify return:1

So the first attempt works, but after that only the test.hetlab.tk certificate is used until a restart of Lighttpd. Then it works exactly one time. So this isn't very usefull :-). Is my configuration faulty? Or is this a bug? Can someone confirm this?


Replies (11)

RE: Multiple https certs doesn't work - Added by stbuehler over 14 years ago

I guess this looks like a real bug - so it would be nice if you create an issues for it (so i don't forget to have a closer look at it :))
It would be helpful if you could provide a small "real" config you used to reproduce it.

RE: Multiple https certs doesn't work - Added by stbuehler over 14 years ago

Oh sry, did you say 1.4.24? Fixed in 1.4.25: "reset tlsext_server_name in connection_reset - fixes random hostnames in the $HTTP["host"] conditional"

RE: Multiple https certs doesn't work - Added by hvdkamer over 14 years ago

I use 1.4.25. The 1.4.24 I mentioned was the version in which this functionality was introduced:

asterix:~$ wget -S localhost
--2009-12-15 20:32:04--  http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.0 200 OK
  X-Powered-By: PHP/5.3.1
  Content-type: text/html; charset=utf-8
  Content-Length: 31
  Connection: keep-alive
  Date: Tue, 15 Dec 2009 19:32:04 GMT
  Server: lighttpd/1.4.25

May be the fix in 1.4.25 is not enough? I checked the patch for 1.4.24 and 1.5.0 and that last one changes more files. However I'm not a programmer, so the differences could be normal :-).

RE: Multiple https certs doesn't work - Added by hvdkamer over 14 years ago

Ie checked 1.5.0 revison 2700 out of the repository, compiled and installed it on a identical server and configuration. I randomly did 100 requests as follows:

ve70:/etc/lighttpd# echo "GET / HTTP/1.1" | openssl s_client -CAfile ca.crt -connect localhost:443 -servername xxx.hetlab.tk 2>&1 | grep -E '^subject' | sed -re 's/.*CN=([^/]*).*/\1/'

That line gives the CN from the certificate and in all cases it matches with the requested xxx. In 1.4.25 -- sometimes a few more request seems to go okay -- it goes wrong the moment you request the website with the default certificate. So I'm almost sure this is a bug in version 1.4.25 and if you agree I will report it as such.

RE: Multiple https certs doesn't work - Added by digital over 14 years ago

I can confirm this is the same issue for myself [running 1.4.25 and 1.4.x SVN of 12/23]. Please proceed with opening a ticket.

RE: Multiple https certs doesn't work - Added by dbb over 14 years ago

Was an issue created for this? I'd like to watch it.

RE: Multiple https certs doesn't work - Added by nitrox over 14 years ago

Nope, and as that we just ignore this :-)

Please create a new ticket and add yourself to the followers.

RE: Multiple https certs doesn't work - Added by dbb over 14 years ago

nitrox wrote:

Nope, and as that we just ignore this :-)

Please create a new ticket and add yourself to the followers.

Done: http://redmine.lighttpd.net/issues/2125

RE: Multiple https certs doesn't work - Added by hvdkamer about 14 years ago

Thanks for creating the ticket.

The last fortnight I was busy with another posible solution too this problem. The Strato rootservers now have IPv6 :-). I had a few problems with some of the examples, but I now have a working solution. And Lighttpd is now a IPv6 proxy for websites which are hosted on servers who only have IPv4.

RE: Multiple https certs doesn't work - Added by digital about 14 years ago

Followed up on the ticket opened, curious to find out where we are with the problem?

RE: Multiple https certs doesn't work - Added by stbuehler about 14 years ago

I have still no idea why it fails.

    (1-11/11)