 |
|
apache + mod_gnutls 達到單一IP多個domain使用SSL服務
作者:cross 日期:2008-09-17 19:26
Apache 無法在單一IP建置SSL給多個 Virtual Host (name-based)使用,也就是說 SSL 服務只能在 ip-based 底下使用,
Apache 官網 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts 說明了一切
http://help.directadmin.com/item.php?id=89Why can't I use SSL with name-based/non-IP-based virtual hosts?
The reason is very technical, and a somewhat "chicken and egg" problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.htmlWhy do I need an owned IP for my own SSL certificate? Last Modified: Oct 26, 2005, 3:20 pm
The reason you must have your own IP address when you want to use your own SSL certificate (when you don't want the server wide shared certificate) is because of the way SSL and apache (httpd) works.
For name based webhosting (when many domains are on one IP) the web browser will pass the name of the domain being requested inside the httpd headers along with the request. This way, apache knows which domain you are trying to access even though there are many domains on that one IP address.
When you do the same thing through an SSL connection, the connection has to be made *before* the request can be sent. In this connection, the certificate is passed. The only information that apache knows before the request is made is which IP the connection is being made to. It has to be able to know which certificate to send before the request is made, thus you can't use mutiple certificates on the same IP (if you do, apache will use the first certificate listed which DA will always set to the server shared certificate for shared IPs).
If you want to use your own certificate, it must be the first certificate listed. This wouldn't work for a shared IP, because there would multiple domain wanting this status, and the first certificate would the one shown. For this resaon the shared certificate is always used on a shared IP. For your certificate, DA will aknowledge the IP as being 'owned' and will remove the server shared certificate as the first cert to be loaded, thus your certificate will be loaded instead.
建置SSL憑證 - OpenSSL
作者:cross 日期:2006-11-14 22:57
利用設定檔方式修改並產生CA、CSR、CRT
Fedora Core release 6 (Zod) + OpenSSL 0.9.8b 04 May 2006
[1.] 製作 CA
/etc/pki/tls/misc/CA -newca
(enter)
Making CA certificate ...
Generating a 1024 bit RSA private key
...................++++++
.........................................................................++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase: (輸入密碼)
Verifying - Enter PEM pass phrase: (輸入密碼)
-----
Postfix + TLS
作者:cross 日期:2006-11-14 21:36
把 ssh public key 遠端利用 cat 複製過去
作者:cross 日期:2006-11-05 20:13
openssl 指令
作者:cross 日期:2006-11-05 20:12
產生 private key 私密金鑰 及 憑證 cert (365 天, 1024 bits)
openssl req -new -x509 -keyout server.key -out server.crt -days 3650 -newkey rsa:1024
-nodes : 可以不加密碼
-subj '/C=TW/ST=Taiwan/L=Taipei/CN=ssorc.tw/emailAddress=cross@ssorc.tw' : 個人資訊,加的話不會出用提示的方式
產生私密金鑰(private key) & 憑證要求(certificate signing request = csr)
openssl req -new -keyout server.key -out server.csr -days 365 -newkey rsa:1024
如果要引用已有 private key 了來產生憑證要求
openssl req -new -key server.key -out server.csr
簽署 csr 產生 crt
