[H-GEN] https + apache

Russell Stuart rstuart at lubemobile.com.au
Fri Jul 18 03:26:35 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

I have been asked to set up a secure web page, ie one accessed with
https.  I am using Apache 1.3.  I have succeeded in accessing the page
using https, so I have the basics right.  There are a number of issues
outstanding however.  If anyone could shed some light on them I would be
grateful.

1.  I have a number of virtual hosts on the server.  These are "Named
    Virtual Hosts".  Ie, they all share the same IP and so are
    differentiated by host name only.  It appears this does not work
    when using SSL - you can only use IP-based virtual hosts with it.

    I am guessing this is because:
      a.  The SSL protocol is negotiated before any data is sent, and
      b.  Part of the SSL protocol negotiation is an X509 cert, and
      c.  The X509 cert must contain the HTTP servers host name.
    This implies that HTTP server must know what virtual host is being
    accessed before any data is exchanged, and in particular before
    it sees the "Host: xxx" directive in the HTTP header.  There is only
    one way it can do this: via the incoming IP address (addr,port)
    the client used.

    If my understanding is right then there is no fix for this (so
    there is no point looking for one).

2.  This can be classified under the heading: "Faint Hope".  In the
    user manual for mod_ssl it has a diagram that implies sending the
    servers X509 cert is optional.  See figure 1 in:
      http://www.modssl.org/docs/2.8/ssl_intro.html
    I am guessing it is optional for SSL, but HTTPS requires it.  Is
    that right?

    All my questions arise from this f#*$)*! X509 cert.  If I could get
    rid of it then life would be easy.  Its all the more frustrating
    because I don't see how it raises the security of HTTPS.  It sole
    function seems to be yet another dismal failure from Netscape in
    its attempt to build a business.

3.  For now I have created a self signed X509 cert that expires in
    2038.  (Using openssl I can't create one that works beyond that
    magical date.  Lets see .. yes I will be retired by then, so that 
    is OK.)   And as a consequence my browser pops window that says
    its "not safe" (as it would be any safer if some company on the
    other side of the globe had signed it).

    If I don't want the "unsafe" message then I need a trusted root CA
    to sign my cert.  I can see 3 ways of going about this (are there
    any more?).  Way 1 would be to become issue my own root cert - ie
    become a CA myself.  I could then sign as many certs as I liked
    without having to pay for them.  This would be nice, as I have
    a number of other servers (pop3s, imaps) on other hosts that should
    be using "real" certs, not self signed ones.  It bugs me no end to
    have my user's pop3s client say _my_ pop3s server is unsafe.  This
    raises a number of issues.  How to I create a root cert (is there
    a HOWTO somewhere?)  How do I download the cert into the browser -
    is there a special mime type?  Do I need to provide anything else
    (such as a some sort of connection to a CRL server, or something)?

4.  The downside to "Way 1" is that the users Browser should bring up
    lots of flashing red lights when they install the my shiny new root
    cert.  You average J.Citizen would be deterred by that (I hope).
    One way round that would be to get an existing root provider (such
    as VeriSign) to sign my "root cert".  Do they do this sort of
    thing - ie provide a cert which I can use to sign other certs?  If
    so, do browsers allow such certs to be installed without too much
    fuss?  My guess would be no root CA's don't provide such a service,
    or if they did it would cost an arm and a leg.  And even then the
    Browsers would be leery of it.

5.  Way 3 is simple, and is probably what I have to do.  Its just that
    it irks me a lot that I am forced to do it.  I have to pay VeriSign
    or some similar company money every year each host / server I need
    a cert for.

If there was some technical advantage for having the X509 cert embedded
in SSL then my level of frustration would drop.  I am dammed if I can
see it however.  Can anybody tell me how having it there raises the
security of SSL as it is used in the current crop of HTTPS / POP3S /
IMAPS / SMTPS clients?

--
Russell

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list