Ssl

使用虛擬主機證書

  • March 6, 2017

我正在嘗試在基於名稱的虛擬主機中啟用 SSL。從文件中我了解到 SNI 不需要顯式啟用,如果伺服器和客戶端都符合最低要求,它會自動發生,我認為他們這樣做:

  • Apache/2.4.25 (Win32)
  • OpenSSL/1.0.2k
  • 火狐/51.0.1 (x64)

我已將配置剝離到最低限度:

Listen 80

LoadModule ssl_module modules/mod_ssl.so


<VirtualHost *:80>
   ServerName localhost
   DocumentRoot "D:/Servidores/Apache/htdocs"
</VirtualHost>


Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300

<VirtualHost _default_:443>
   ServerName localhost
   DocumentRoot "D:/Servidores/Apache/htdocs"
   SSLEngine on
   SSLCertificateFile "D:/DOS/Apache24/conf/server.crt"
   SSLCertificateKeyFile "D:/DOS/Apache24/conf/server.key"
</VirtualHost>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin


<VirtualHost *:80>
   ServerName tmp
   DocumentRoot "D:/tmp"
</VirtualHost>
<VirtualHost *:443>
   ServerName tmp
   DocumentRoot "D:/tmp"
   SSLCertificateFile "D:/Servidores/Apache/certificados/tmp.crt"
   SSLCertificateKeyFile "D:/Servidores/Apache/certificados/tmp.key"
</VirtualHost>
C:\>httpd -f conf/prueba-test.conf

然而,當我嘗試載入時,https://tmp/我總是從<VirtualHost _default_:443>(對於 host localhost)而不是從(對於ServerName tmphost )獲取證書tmp

這是記錄的內容:

[Fri Mar 03 14:11:57.360237 2017] [ssl:warn] [pid 11684:tid 668] AH01906: tmp:80:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.361240 2017] [ssl:warn] [pid 11684:tid 668] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.433220 2017] [ssl:warn] [pid 11684:tid 668] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 03 14:11:57.433220 2017] [ssl:warn] [pid 11684:tid 668] AH01906: tmp:80:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.434223 2017] [ssl:warn] [pid 11684:tid 668] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.436228 2017] [mpm_winnt:notice] [pid 11684:tid 668] AH00455: Apache/2.4.25 (Win32) OpenSSL/1.0.2k configured -- resuming normal operations
[Fri Mar 03 14:11:57.436228 2017] [mpm_winnt:notice] [pid 11684:tid 668] AH00456: Apache Lounge VC14 Server built: Dec 17 2016 10:42:52
[Fri Mar 03 14:11:57.436228 2017] [core:notice] [pid 11684:tid 668] AH00094: Command line: 'httpd -d D:/DOS/Apache24 -f conf/prueba-ssl.conf'
[Fri Mar 03 14:11:57.444250 2017] [mpm_winnt:notice] [pid 11684:tid 668] AH00418: Parent: Created child process 15380
[Fri Mar 03 14:11:57.910024 2017] [ssl:warn] [pid 15380:tid 648] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.988164 2017] [ssl:warn] [pid 15380:tid 648] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 03 14:11:57.988164 2017] [ssl:warn] [pid 15380:tid 648] AH01906: localhost:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Mar 03 14:11:57.988164 2017] [mpm_winnt:notice] [pid 15380:tid 648] AH00354: Child: Starting 64 worker threads.

問題可能是什麼?

最後,這不過是一個愚蠢的錯誤。我在輔助虛擬主機中錯過了這個:

SSLEngine on

由於這是啟用 SSL 的指令,因此我在此類主機中根本沒有 SSL(既不是 SNI,也不是正常的)。

(該指令多年來一直存在於我所有基於 IP 的虛擬主機中,但是當我開始使用 SNI 時,有人設法在我正在測試的主機中將其刪除。)

這可能與它們的配置順序有關。嘗試將<VirtualHost _default_:443>配置移動到文件底部並重新載入/重新啟動 apache。

引用自:https://serverfault.com/questions/836096