2

I have this setup

Server version: Apache/2.2.22 (Ubuntu)
OpenSSL 1.0.1c 10 May 2012

One IP with multiple domains connected to it. For example1.com I have a signed SSL certificate, and thus example1.com is accessible via https://secure.example1.com

This is also true for example2.com (signed with a valid certificate and accessible via https://secure.example2.com)

However, example3.com does NOT have any SSL certificates tied to it, and should not be accessible via https (SSL port 443). But, when a user goes to https://example3.com a warning is shown. In Chrome it looks like this

You attempted to reach example3.com, but instead you actually reached a server identifying itself as secure.example1.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of example3.com

If you disregard the warning, the user will actually be shown the contents of secure.example1.com

The VirtualHost setup looks like this

<VirtualHost *:443>
        ServerName secure.example1.com
        DocumentRoot /var/www/blahblah
        SSLEngine on
        SSLCertificateFile /blahblah.crt
        SSLCertificateKeyFile /blahblah.key
        SSLCertificateChainFile /blahblah.pem
</VirtualHost>

<VirtualHost *:443>
        ServerName secure.example2.com
        DocumentRoot /var/www/blahblah
        SSLEngine on
        SSLCertificateFile /blahblah.crt
        SSLCertificateKeyFile /blahblah.key
        SSLCertificateChainFile /blahblah.pem
</VirtualHost>

<VirtualHost *:80>
        ServerName example3.com
        DocumentRoot /var/www/blahblah
</VirtualHost>

How can I prevent this behaviour?

subZero
  • 123
  • 4
  • I think this explains 1 or 2 things: http://serverfault.com/questions/126554/multiple-domains-with-ssl-on-same-ip – Koen van der Rijt Jun 06 '14 at 12:31
  • 1
    what exactly do you want to have happen? just not redirecting to https://example1.com? then you need another defaul vhost. no Cert warning? then you need a valid cert. Disable usage of example3 https port, define a virtual host with an information for the user. (Cert warning will be there , see Felix Franks answer) Abort connection altogether? Use iptables. – Dennis Nolte Jun 06 '14 at 12:44

2 Answers2

6

Non-SSL domains should not use this IP. Even for multiple SSL-capable domains, you rely on clients to implement SNI without issue, which may or may not be a safe assumption.

The problem is that before Apache can redirect the browser to HTTP, an SSL handshake has to succeed, so if you cannot provide a valid certificate for the domain, the clients will always claim SSL errors.

Edit: Multiple SSL domains will work without issue if you use just one certificate with appropriate SANs (multidomain certificate). The issue with non-SSL domains remains, though.

Felix Frank
  • 3,063
  • 1
  • 15
  • 22
2

As Koen van der Rijt already wrote you should check SF for similiar questions and read the answers carefully.

  apache2ctl -S

gives you the order of vhost "execution"

so your example1.com is the first port :443 defined domain then this one will be used.

Instead you could either make a f.e. self signed cert and inform the user that this domain does not have a https connection right now or do a rewrite_rule which redirects the traffic from https://domain3.com to http://domain3.com. Note that this would need an "invalid" cert and will inform the user.

If you dont use SNI, you additionally need at least 1 IP per Cert.

Dennis Nolte
  • 2,848
  • 4
  • 26
  • 36