Linux HackFest Series: Evil /etc/hosts file
Alex Dean
alex at crackpot.org
Fri Dec 12 09:26:38 MST 2008
On Dec 11, 2008, at 8:25 PM, Lisa Kachold wrote:
> It's just as easy to set the server hostname and ip address staticly
> to a standard hosts file? Name based virtualhosting still works!
>
>
> For 443 certificate based virtuals, you MUST have your SSL cert FQDN
> match the csr, and crt.
Kinda. You can't really do name-based virtual hosting w/ SSL, at
least not with openssl as I know it. SSL vhosts in Apache are based
on IP address only.
When doing https, the SSL key negotiation between client & server
happens before the client tells the server what resource/page/image it
wants. Apache won't know what site you want to view until after this
has been done. The IP address is about all Apache has to go on when
selecting which certificate to use to decrypt the client's request.
This is why you can't have more than 1 SSL site on the same IP:port.
I believe that if you set up an SSL VirtualHost with a ServerName
parameter, Apache resolves that name into an IP at startup time, and
uses that IP address to determine when to serve content from that
virtual host.
Putting '127.0.0.1 www.yoursite.com' in /etc/hosts messes up this
process. That's what prompted my reply to your initial email.
Apache won't try to use your certificate because it hasn't received a
request for 127.0.0.1. Most likely, your request will be handled by
the default vhost, which will try to speak plaintext http to a client
expecting https, and you'll get weird client errors containing a bunch
of hex garbage.
alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081212/d6a899c8/attachment.pgp
More information about the PLUG-discuss
mailing list