RT using SSL

Leon_Sonntag · December 5, 2003, 10:00pm

I’m stumped!!!
I’m trying to get RT 3.0.6 running under SSL on Apache 2.0.40 on a RH8
system. The web interface works fine (though quite slow to initially
connect). I can start SSL on Apache. When I connect with SSL running I
get the generic Apache startup page even though I have all the redirects
the same as without SSL.
My SSL virtual host data is in ssl.conf. I reference that file from
httpd.conf.
ssl.conf -
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog builtin
SSLSessionCache dbm:/etc/httpd/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/etc/httpd/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /etc/httpd/logs/ssl_engine_log
SSLLogLevel info

SSL Virtual Host Context

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

SetEnvIf User-Agent “.MSIE.”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog /etc/httpd/logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b”

#NameVirtualHost *:443
NameVirtualHost rt.iwapps.com:443

ServerName rt.iwapps.com
DocumentRoot /opt/rt3/share/html
ErrorLog logs/rt/error_log
CustomLog logs/rt/access_log combined
#AddDefaultCharset UTF-8
PerlModule Apache2 Apache::compat
PerlModule Apache::DBI
PerlRequire /opt/rt3/bin/webmux.pl

<Directory /opt/rt3/share/html>
Order allow,deny
Allow from all
Options All
AllowOverride All
AddDefaultCharset UTF-8
<Files *.html>
SetHandler perl-script
PerlHandler RT::Mason

<Directory /opt/rt3/share/html/Ticket/Attachment>
SetHandler perl-script
PerlHandler RT::Mason

<Directory /opt/rt3/share/html/SelfService/Attachment>
SetHandler perl-script
PerlHandler RT::Mason

<Directory /opt/rt3/share/html/REST>
SetHandler perl-script
PerlHandler RT::Mason

maybe somebody can see something I missed

Bill_McGonigle · December 6, 2003, 12:25am

Hi, Leon,

To the best of my knowledge you can't do virtualhosting with SSL.

I’ve always had to get a new IP address for each SSL host. It can run
on the same machine and same apache, IIRC. You could probably do a
rewrite rule with apache proxy for https://realhost/rt/ as a
workaround.

-BillOn Dec 5, 2003, at 5:00 PM, Leon Sonntag wrote:

maybe somebody can see something I missed

smime.p7s (2.35 KB)

Vivek_Khera · December 8, 2003, 3:00pm

“BM” == Bill McGonigle bill@zettabyte.net writes:

BM> Hi, Leon,
BM> To the best of my knowledge you can’t do virtualhosting with SSL.

yes, you can. you cannot do name-based virtuals – they must be
IP-based as you’ve pointed out.

You can mix and match name-based and IP based virtuals on the same
httpd.

Jorey_Bump · December 8, 2003, 4:16pm

Vivek Khera wrote:

“BM” == Bill McGonigle bill@zettabyte.net writes:

BM> Hi, Leon,
BM> To the best of my knowledge you can’t do virtualhosting with SSL.

In fact, most SSL is done in a virtual host container (at least with
apache, it is).

yes, you can. you cannot do name-based virtuals – they must be
IP-based as you’ve pointed out.

But don’t interpret this to mean that you can have only one SSL host (or
hostname) per IP address. Technically, the only difference between IP-
and name-based hosts is that name-based hosts can share the same port on
the same IP. It’s up to the browser to ask the server for the right
host, otherwise it will serve the default.

This means that you can set up multiple SSL hosts on the same IP if they
listen on different ports:

https://www.example.com (listens on standard port 443)
https://support.example.com:444

Both hostnames resolve to the same IP, but have their own virtual host
container, so they are able to serve up their own certificates. Most
people would want to use the nonstandard port for internal use only,
such as with a trouble ticket system.

Leon_Sonntag · December 8, 2003, 4:31pm

At 09:16 AM 12/8/03, Jorey Bump wrote:

Vivek Khera wrote:

“BM” == Bill McGonigle bill@zettabyte.net writes:

BM> Hi, Leon,
BM> To the best of my knowledge you can’t do virtualhosting with SSL.

In fact, most SSL is done in a virtual host container (at least with
apache, it is).

yes, you can. you cannot do name-based virtuals – they must be
IP-based as you’ve pointed out.

Did not realize that…THNX

But don’t interpret this to mean that you can have only one SSL host (or
hostname) per IP address. Technically, the only difference between IP- and
name-based hosts is that name-based hosts can share the same port on the
same IP. It’s up to the browser to ask the server for the right host,
otherwise it will serve the default.

This means that you can set up multiple SSL hosts on the same IP if they
listen on different ports:

https://www.example.com (listens on standard port 443)
https://support.example.com:444

Both hostnames resolve to the same IP, but have their own virtual host
container, so they are able to serve up their own certificates. Most
people would want to use the nonstandard port for internal use only, such
as with a trouble ticket system.

Now that I think about it, that bears out. We have another system that
multiple SSL servers on it.

I think I have some other issues too though be cause the SSL servers starts
and serves pages but only serves the default page. I only have the one SSL
server on that APACHE server. I will make sure that the virtual SSL is
setup as IP based rather than name based though.

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

Most anything is easy after you’ve done it successfully a few times

Leon Sonntag
Innovative Web Applications
leon at iwa-solutions dot com

Mathieu_Arnold · December 10, 2003, 4:22pm

±le 08/12/2003 10:00 -0500, Vivek Khera écrivait :
|>>>>> “BM” == Bill McGonigle bill@zettabyte.net writes:
|
| BM> Hi, Leon,
| BM> To the best of my knowledge you can’t do virtualhosting with SSL.
|
| yes, you can. you cannot do name-based virtuals – they must be
| IP-based as you’ve pointed out.

Of course you can do name based ssl virtual hosting, just cannot have
multiples certificates because the ssl handshake is done before the http
headers are sent, so, you’ll need somethink like *.domaine.com or * in the
cn of your cert to do it.

Mathieu Arnold

Leon_Sonntag · December 10, 2003, 4:29pm

At 09:22 AM 12/10/03, Mathieu Arnold wrote:

±le 08/12/2003 10:00 -0500, Vivek Khera écrivait :
|>>>>> “BM” == Bill McGonigle bill@zettabyte.net writes:
|
| BM> Hi, Leon,
| BM> To the best of my knowledge you can’t do virtualhosting with SSL.
|
| yes, you can. you cannot do name-based virtuals – they must be
| IP-based as you’ve pointed out.

Of course you can do name based ssl virtual hosting, just cannot have
multiples certificates because the ssl handshake is done before the http
headers are sent, so, you’ll need somethink like *.domaine.com or * in the
cn of your cert to do it.

THNX, I didn’t realize that certificates allowed Wildcards.

Most anything is easy after you’ve done it successfully a few times

Leon Sonntag
Innovative Web Applications
leon at iwa-solutions dot com