Bug 1295490
Summary: | [RFE] Add server-side Server Name Indication (SNI) support | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Bost <rbost> | ||||||
Component: | mod_nss | Assignee: | Matthew Harmsen <mharmsen> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||||
Severity: | high | Docs Contact: | Aneta Šteflová Petrová <apetrova> | ||||||
Priority: | high | ||||||||
Version: | 6.6 | CC: | akasurde, aogburn, arubin, brian, cww, dpal, emaldona, eparis, jorton, kengert, mharmsen, mhernon, nkinder, qe-baseos-security, rbost, rcritten, rrelyea, salmy | ||||||
Target Milestone: | rc | Keywords: | FutureFeature | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | mod_nss-1.0.10-5.el6 | Doc Type: | Release Note | ||||||
Doc Text: |
mod_nss now supports server-side SNI
This update adds server-side Server Name Indication (SNI) support to the *mod_nss* package.
|
Story Points: | --- | ||||||
Clone Of: | 1053327 | ||||||||
: | 1400745 (view as bug list) | Environment: | |||||||
Last Closed: | 2016-05-10 19:41:23 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1053327 | ||||||||
Bug Blocks: | 101652 | ||||||||
Attachments: |
|
Comment 10
Matthew Harmsen
2016-01-19 04:19:57 UTC
Instructions for testing. Set up a separate location to serve the SNI data: # mkdir /var/www/sni1 # vi /var/www/sni1/index.html <html> <body> <h1>SNI Works!</h1> </body> </html> Create basic content for the web server: # vi /var/www/html/index.html <html> <body> <h1>Welcome to Apache</h1> </body> </html> Update /etc/hosts and add in www1.example.com and www2.example.com as an alias for your host IP (or use DNS if you'd rather). # service httpd stop Generate a new cert. You can add -z </path/to/some/file> to not require user interaction: # certutil -d /etc/httpd/alias -S -n "Server-Cert-www1.example.com" -s "CN=www1.example.com,O=example.com,C=US" -c "cacert" -t "u,u,u" --nsCertType sslServer --keyUsage keyEncipherment -8 www1.example.com Create a PEM copy of the CA: # certutil -d /etc/httpd/alias -L -n cacert -a > /etc/httpd/alias/ca.pem Apply the attached diff to /etc/httpd/conf.d/nss.conf to add in the SNI configuration. # service httpd start Test basic SSL support: # curl --cacert /etc/httpd/alias/ca.pem -v https://`hostname`:8443/ Your output should be a 200 status and contain "Welcome to Apache" Logs should be something like: [date] [debug] nss_engine_init.c(1883): SNI: Found nickname Server-Cert for vhost: somehost [date] [debug] nss_engine_init.c(1905): SNI: Successfully paired vhost somehost with nickname: Server-Cert [date] [debug] nss_engine_kernel.c(93): SNI request for somehost Test SNI: # curl --cacert /etc/httpd/alias/ca.pem -v https://www1.example.com:8443/ Your output should be a 200 status and contain "SNI Works!" Logs should be something like: [date] [debug] nss_engine_init.c(1883): SNI: Found nickname Server-Cert-www1.example.com for vhost: www1.example.com [date] [debug] nss_engine_init.c(1905): SNI: Successfully paired vhost www1.example.com with nickname: Server-Cert-www1.example.com Test an SNI request for a VH that isn't configured: # curl -kv https://www2.example.com:8443/ You should get "Welcome to Apache" as it should fall back to the default VH. Logs should look something like: [date] [debug] nss_engine_init.c(1860): SNI: No matching SSL virtual host for servername www2.example.com found (using default/first virtual host) [date] [debug] nss_engine_kernel.c(93): SNI request for www2.example.com [Tue Jan 19 10:35:04 2016] [info] Initial (No.1) HTTPS request received for child 4 (server somehost:8443) Most of the SNI-related logging with SNI: so it should be easy to pull out of the logs Created attachment 1116259 [details]
Configuration file diff to add an SNI virtualhost
Verified using mod_nss version:: mod_nss-1.0.10-5.el6.x86_64 See attachment for steps and console log. Created attachment 1128165 [details]
console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0751.html |