Topic
  • 3 replies
  • Latest Post - ‏2011-09-30T15:08:35Z by Sunit
Condor70
Condor70
5 Posts

Pinned topic Why can't I use <VirtualHost *:443>

‏2011-09-29T11:31:24Z |
I configured my IBM HTTP Server for iSeries as follows:

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
NameVirtualHost *
Listen *:443 https
...
  1. VirtualHost using *
<VirtualHost *:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>

But this resulted in an invalid SSLv3 response from the server.

After some trial and error I did find out that the following works:

LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM
NameVirtualHost *
Listen *:443 https
...
  1. VirtualHost for exact IP address of each network card
<VirtualHost 10.0.0.1:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>
<VirtualHost 10.0.0.2:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>
<VirtualHost 10.0.0.3:443>
ServerName www.myserver.com
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSERVER
...
</VirtualHost>

This works, but it's not really ideal, because I have to repeat the entire VirtualHost configuration several times.

Is this the only solution or did I configure something incorrectly?
Updated on 2011-09-30T15:08:35Z at 2011-09-30T15:08:35Z by Sunit
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: Why can't I use &lt;VirtualHost *:443&gt;

    ‏2011-09-29T14:12:48Z  
    Not sure if there are iSeries specific issues here but note that the argument to <virtualhost has to exactly match the argumentto NameVirtualHost to have it actually be a NameVirtualHost. In both of your examples, the SSL vhosts would not be named-based virtualhosts.

    Was the invalid SSL response an HTTP error message or really SSLv3 but w/o your configuration?

    again iseries aside -- this symptom somewhat implies another port 443 vhost existing that matched better than the wildcard *:443 but not the specific IP addresses.
  • Condor70
    Condor70
    5 Posts

    Re: Why can't I use &lt;VirtualHost *:443&gt;

    ‏2011-09-29T16:08:42Z  
    Not sure if there are iSeries specific issues here but note that the argument to <virtualhost has to exactly match the argumentto NameVirtualHost to have it actually be a NameVirtualHost. In both of your examples, the SSL vhosts would not be named-based virtualhosts.

    Was the invalid SSL response an HTTP error message or really SSLv3 but w/o your configuration?

    again iseries aside -- this symptom somewhat implies another port 443 vhost existing that matched better than the wildcard *:443 but not the specific IP addresses.
    Not shown in the example, but I have other vhosts on port 80 that work just fine, e.g.

    <VirtualHost *:80>
    ServerName www.myserver.com
    RewriteEngine On
    RewriteRule ^(.*)$ https://www.myserver.com$1 R,L
    ...
    </VirtualHost>
    <VirtualHost *:80>
    ServerName www.otherserver.com
    ...
    </VirtualHost>

    1. The Apache documentation is a bit cryptic on what NameVirtualHost and VirtualHost actually do. I have a single server with multiple network cards that is serving websites on multiple domains. Did I configure IHS correctly?

    2. No, it was a real SSL error. The server replied to the browser ClientHello message with and "Invalid message" SSLv3 response.

    3. I suspected that too, but as I said, I only have <VirtualHost *:80> entries besides the <VirtualHost *:443> entry I wanted to add.
  • Sunit
    Sunit
    199 Posts

    Re: Why can't I use &lt;VirtualHost *:443&gt;

    ‏2011-09-30T15:08:35Z  
    • Condor70
    • ‏2011-09-29T16:08:42Z
    Not shown in the example, but I have other vhosts on port 80 that work just fine, e.g.

    <VirtualHost *:80>
    ServerName www.myserver.com
    RewriteEngine On
    RewriteRule ^(.*)$ https://www.myserver.com$1 R,L
    ...
    </VirtualHost>
    <VirtualHost *:80>
    ServerName www.otherserver.com
    ...
    </VirtualHost>

    1. The Apache documentation is a bit cryptic on what NameVirtualHost and VirtualHost actually do. I have a single server with multiple network cards that is serving websites on multiple domains. Did I configure IHS correctly?

    2. No, it was a real SSL error. The server replied to the browser ClientHello message with and "Invalid message" SSLv3 response.

    3. I suspected that too, but as I said, I only have <VirtualHost *:80> entries besides the <VirtualHost *:443> entry I wanted to add.
    NameVirtualHost is meant to share one instance of HTTP server with different names. In a shared environment you might want to use a single IP address with different names configured in DNS server at the same time have slightly different configuration for each server.

    www.server1.com, www.server2.com and www.server3.com all resolve to the same IP address but each serves different content.

    If you have a server with multiple network cards and you want to server different named websites on each IP address then use VirtualHost directive binding to the specific IP address. This is very important while configuring SSL because SSL handshake happens before HTTP communication takes place so server name used by browser is not known at that time and the server will use the SSL certificate used with that specific network interface.

    To debug the SSL error message please post your actual configuration.

    • Sunit