Topic: Ibays and certificates

[renwald]

Hello all!

I have created several test stores using OSCommerce that I'd like to enable.  Searching the forum yields some certificate info but nothing related to ibays.  Specifically, I'd like to ask:
1) Has anyone setup a secure site with a virtual domain (ibay) using a certificate from a CA (verisign, etc.)?  I remember some issue with the certificate not matching the site address before SSL is activated, but can't find that reference anymore...  
2) If it isn't possible to have certificates for individual virtual domains/ibays, is it possible to setup OSCommerce (or any other app) to point to a single shared certificate on the SME server?  Even if they are running in an ibay?  I'd be most interested in how to setup OSC, but others may find a generic response useful.
3) Anticipating 'host your sites at a provider with these services' type responses, please bear in mind that I am trying to learn the ropes in this wonderful new OSS/Linux world that I've discovered and I'm sure others would benefit from advice on if SME is the wrong environment to try to do this kind of stuff.

Please provide answers (if there are any) in a step-by-step type format if possible as I wouldn't consider myself as a Linux expert by any means.  Thanks in advance for your help.

[Boris]

I think you only can have one cert per IP. Your SME using single IP and you will not be able to use more then one certificate on it.
I would be glad to bo wrong on it. ;-(
Boris.

[Gregory Baird]

You can only use your cert for your domain name ip addresses don't matter

[Dan Brown]

Well, yes, certificates are issued for a host name and not for an IP address.  However, the way https works is that the SSL negotiation takes place before the host name is sent, so a host listening on a given IP address can only use a single cert.  Multiple hostnames can be assigned to that IP address, but clients seeking any of those hosts will get the same cert (and unless the host they're requesting is the one the cert is issued for, they'll get an error message).

[renwald]

Thanks for the updates but...  has anyone setup an SME server with multiple secure virtual domains hosted in individual ibays?  I seem to recall reading somewhere that virtual hosting solutions using multiple certificates don't work because SSL/TLS handshaking checks the PRIMARY DOMAIN certificate before Apache sees the name based virtual domain info.  Hence, name-based virtual hosting of secure sites is not possible - or is this incorrect (I hope so!)?  SME virtual hosting is name based, is it not?

[renwald]

Thanks Dan - you must have posted your note while I was writing mine...
Do you (or anyone else) have any suggestions for how to have individual secure ecommerce sites in an SME environment?

[Dan Brown]

I don't think it's possible, not with SME nor with any other system that uses a single IP for multiple hosts.  You'd either need to keep the secure part on a single domain, or instruct the users to ignore the errors.

[renwald]

Dan Brown wrote:
>
> I don't think it's possible, not with SME nor with any other
> system that uses a single IP for multiple hosts.  You'd
> either need to keep the secure part on a single domain, or
> instruct the users to ignore the errors.

That's what I thought was the case.  But - is there any merit to looking into modifying the Apache configs to listen on different ports?  I found this reference at Apache.org:
-------
"The reason (virtual name-based hosts doesn't work) is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts. Therefore all the server receives is an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds that matches the port and IP address.

You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then you can have no more than 1 SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

NameVirtualHost 192.168.1.1:80

Other workaround solutions are:

- Use separate IP addresses for different SSL hosts.
- Use different port numbers for different SSL hosts."
---------

In particular the last workaround - using different ports - would that be extremely difficult in this environment?

[renwald]

Regarding the last post, it seems that the request posted in this thread:

http://forums.contribs.org/index.php?topic=19492.msg77130#msg77130

might serve this purpose.   If others think this might be a viable solution, perhaps we should add it to the wish list?

[Dan Brown]

Hmmm, I guess using different ports might work.  It'd definitely involve some altered template files, of course.  What I'm not sure of (as I'm not intimately familiar with how apache handles ssl) is whether this could all be done in httpd.conf, or if you'd need a new apache instance with a separate config file to handle the different cert.

Of course, using non-standard ports can cause problems with users accessing from behind firewalls.  Just something to keep in mind.

[renwald]

It appears that individual ports may be the way to go.  I came across this from a excellent thread in the apache-modssl list from an Owen Boyle... (http://marc.theaimsgroup.com/?l=apache-modssl&m=102801283227881&w=2)
=======================
"
> I would like to clear up port-based hosting for mod-ssl:
>
> 1. https looks for port 443, but you can change that to any port with
> modification to the apache configure file and also as long as you
> specify the port in the url (https;//sample.com:445).

Exactly correct. You need to say "Listen 445" in the config and define a VH like "". Then you have to use the port in the URL, as you show (to a browser, "https" means "establish an SSL session with the following server; unless the port is specified, use port 443").

>
> 2. Mod-ssl does not work for name based hosting...

Kind of the other way around: NBVHing doesn't work with SSL. The reason is that SSL encrypts all the contents of the TCP/IP packet so the traffic has to be routed using only TCP/IP attributes, i.e. IP address and Port number. The "Host" header (which is needed for NBVHing) is an HTTP attribute, i.e. it is inside the packet and so is encrypted so you can't use it to route packets.

> We must use ports in order for it to work.

Yes-ish.. You must distinguish SSL VHs by TCP/IP attributes, i.e. each VH must have a unique IP address:Port pair.

> 3. Can you specify more than one port to bind https? What if your only
> have 1 ip address and 10 different domain names.  What do you
> do then?  
> Place the domain names behind you firewall and use a class a,b or c ip
> addresses?

You'd have to use 10 different ports. But you would have to specify the ports in the public URLs. I'm not sure what you're getting at with the FW idea... You can't get away with address translation in the FW adding on the port numbers since the packets are already encrypted when they arrive at the FW.

Having said that, I was astonished some months ago when someone reported a hardware gadget which could route SSL traffic by hostname. It is a kind of SSL router which you put between your server and the internet. I don't know how it works - maybe you have to give it your private server keys so it can decrypt the incoming traffic. I've also forgotten what it was called! Search the archives on this list for SSL routers, hardware etc..

Maybe someone else can remember the link to this gadget?

> 4.  If mod-ssl can be placed on more any one port what does the config
> file look like, I keep getting errors.  All the docs I've read
> said that name-based virtual do not work.

Because they don't.

> They do not say that multiple
> ports can not be specified.

Because they can:

Listen 192.168.1.1:445

  SSLEngine on
  SSLCertificateFile ...
  SSLCertificateKeyFile ...
  DocumentRoot ...
  etc..


Listen 192.168.1.1:446

  SSLEngine on
  SSLCertificateFile ...
  SSLCertificateKeyFile ...
  DocumentRoot ...
  etc..


Note: no need for "NameVirtualHost", no need for "ServerName".  "

======================

It does seem that this is the right track.  I'd get going on trying this now if I was sure of my skills in template mods, but I'm not.  I added something about this to the wish list, as it would be nice if the virtual host script in server-manager would add the port numbers and modify the apache config files as shown above automagically.  If you agree that this would be useful, cast your vote on the wish list thread.  If someone else wants to help with the mods or work on a contribution / how-to to accomplish this, I'll help anyway I can.

Sorry about the long post, but I hate having to travel to multiple links just to get the gist of a post...