[Solved] SNI SSL settings
Added by Soba almost 8 years ago
Hi,
I'm trying to use SNI SSL.
FQDN=>example.com, test.example.com
In Setting A was accessible from a browser to each FQDN, but In Setting B was not accessible from a browser to test.example.com.
Please Let me know the reason why Setting B does not work.
[Setting A => OK]
$HTTP["host"] == "example.com" {
# settings
}
$HTTP["host"] == "test.example.com" {
# settings
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/test_example_com.pem"
ssl.ca-file = "/etc/pki/tls/certs/test_example_com.intermediate"
$HTTP["host"] == "example.com"{
ssl.pemfile = "/etc/pki/tls/certs/example_com.pem"
ssl.ca-file = "/etc/pki/tls/certs/example_com.intermediate"
}
}
[Setting B => NG]
$HTTP["host"] == "example.com" {
# settings
}
$HTTP["host"] == "test.example.com" {
# settings
}
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/pki/tls/certs/example_com.pem"
ssl.ca-file = "/etc/pki/tls/certs/example_com.intermediate"
$HTTP["host"] == "test.example.com"{
ssl.pemfile = "/etc/pki/tls/certs/test_example_com.pem"
ssl.ca-file = "/etc/pki/tls/certs/test_example_com.intermediate"
}
}
- OS:CentOS 6.8
- Lighttpd:1.4.39
- Browser:Google Chrome, Mozilla Firefox
Replies (5)
RE: SNI SSL settings - Added by gstrauss almost 8 years ago
I believe this was fixed back in Feb 2016. See https://redmine.lighttpd.net/issues/2598
These fixes are in the lighttpd git master branch which will be part of the upcoming lighttpd 1.4.40 release.
Are you able to build and test from git source control to see if your issue has already been fixed? Thanks.
RE: SNI SSL settings - Added by Soba almost 8 years ago
Thank you for your support.
I has been updated to 1.4.40, but did not work.
# /usr/local/sbin/lighttpd -v lighttpd/1.4.40-devel-lighttpd-1.4.39-197-gb482bfd (ssl) - a light and fast webserver
[Google chrome's error]
Your connection is not private
Attackers might be trying to steal your information from test.example.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is test.example.com; its security certificate is from example.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
RE: SNI SSL settings - Added by gstrauss almost 8 years ago
Thanks for testing latest development branch.
This might be related to your issue: https://redmine.lighttpd.net/issues/2562
It'll take me some time to dig into it further.
RE: SNI SSL settings - Added by gstrauss almost 8 years ago
As posted in https://redmine.lighttpd.net/issues/2562:
A pull request has been submitted in https://github.com/lighttpd/lighttpd1.4/pull/62 which permits specifying the server cert chain. Does that patch provide a solution to your issue?