| Author |
|
Ropeguru
Joined: 26 Jun 2014
Posts: 12
Location: USA, Richmond
|
 Posted: Fri 27 Jun '14 0:03 Post subject: Apache 2.2.27 with openssl-0.9.8za issue |
 |
|
Hello everyone. First time posting so please, if I forget any info, ask me.
We have just upgraded to the Apache 2.2.27 w/ openssl-0.9.8za configuration. Apparently we have gotten bit by a bug that was fixed in 0.9.8za with regards to openssl now sending SNI alerts from Apache.
We know we have a configuration issue in Apache that is causing this. However, I am fairly new to this and have been tasked with fixing it. Right now I have loaded apache 2.2.27 w/ openssl-0.9.8za then used the appropriate files, mod_ssl etc., to downgrade openssl back to 0.9.8y and all seems to be working.
So, my question is that we are using this as a reverse proxy with proxypass and have multiple aliases in the SSL certificate. What is the best practice for the configuration of this type. I think I have read to use VirtualHost for this, but how does that work with the aliases?
Is the hostname in the VirtualHost section tied to the real server name and then add an additional alias parameter? How do I deal with multiple aliases and the virtual host? All are listening on the same IP and SSL port on the front end of the proxy.
Any constructive thoughts are appreciated. |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
| Posted: Fri 27 Jun '14 9:58 Post subject: |
|
|
| Can you describe the issue with za in more detail ? |
|
| Back to top |
|
Ropeguru
Joined: 26 Jun 2014
Posts: 12
Location: USA, Richmond
|
| Posted: Fri 27 Jun '14 12:16 Post subject: |
|
|
| admin wrote: | | Can you describe the issue with za in more detail ? |
It is an SNI issue. When openssl was patched, mobile clients that we have out in the field, which run Java 7, could not connect. My understanding is that previously a bug in openssl did not honor apache's request to send an SNI alert when instructed. Apparently version 0.9.8za corrected that.
I found a discussion that matched our issue and the update to za was the issue. When I get to work here in a little bit, I will post the link to the thread.
We had someone propose to put in a virtual host section and list the alias in the virtual host that was breaking, which is fine. But I have the task of making things "right" and not cobbling together a piece meal solution. |
|
| Back to top |
|
Ropeguru
Joined: 26 Jun 2014
Posts: 12
Location: USA, Richmond
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 27 Jun '14 19:15 Post subject: |
|
|
| Ropeguru wrote: | | We had someone propose to put in a virtual host section and list the alias in the virtual host that was breaking, which is fine. But I have the task of making things "right" and not cobbling together a piece meal solution. |
Reading the bug report you posted it sounds like both Apache and (now) OpenSSL are doing things per the RFC dictating this and will not be reverted. As was stated if you were running with OpenSSL 1.0.0 or later you'd have run into this sooner.
This solution someone proposed of adding aliases to the vhost seems to be the proper one in this case. |
|
| Back to top |
|
Ropeguru
Joined: 26 Jun 2014
Posts: 12
Location: USA, Richmond
|
| Posted: Fri 27 Jun '14 21:06 Post subject: |
|
|
Yes, I agree.
That is more of what this post is about. Because of the bug fix, we are having to rewrite our configs. I wrote about the history to give an idea why I was having to do this.
So....
I am guessing that for every alias in my SAN certificate, I need a virtualhost section. In that section my servername will be one of the subject alternative names and all proxy and rewrite rules for that name will go in that virtual host.
Is the above correct?? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 27 Jun '14 23:42 Post subject: |
|
|
To be honest I'm not completely clear on what your doing since I have no need for a proxy and rewrite rules can be dumbfounding, but;
If the rewrite rule is same for all (sounds like it) and obviously it's just the one cert, this may be a good use for mod_macro.
| Code: | <IfModule macro_module>
## Define a SSLHost Macro.
<Macro SSLHost $h>
<VirtualHost *:443>
ServerName $h
# all other stuff that is the SAME for every hostname
</VirtualHost>
</Macro>
Use SSLHost www.hostname.net
Use SSLHost www.otherhost.com
Use SSLHost www.yetanother.org
Use SSLHost www.etc.edu
</IfModule>
|
Will save you from copying the same thing over and over and just changing the ServerName on each of them. I do not see mod_macro for 2.2 available here but we have them at The Apache Haus |
|
| Back to top |
|
Ropeguru
Joined: 26 Jun 2014
Posts: 12
Location: USA, Richmond
|
| Posted: Sat 28 Jun '14 14:55 Post subject: |
|
|
Rewrite rules are different for each "alias" that is listed in my current config. Each alias will be in its own virtual host.
So my theory is correct that if there are proxypass and/or rewrite rules that are specific for each alias, go in each virtual host.
I have started rewriting my configs in this manner already from what I have read at apache's site and other web sites.
Thanks for the help in at least pointing me in the right direction.
Robert |
|
| Back to top |
|
Ropeguru
Joined: 26 Jun 2014
Posts: 12
Location: USA, Richmond
|
| Posted: Wed 02 Jul '14 13:35 Post subject: |
|
|
| Wanted to thank everyone for their help. Was able to complete a new config moving everything to a virtualhost setup. Testing with 2.2.27/openssl-0.9.8za now works with previously clients. |
|
| Back to top |
|
