HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   ispconfig 3.0.4.6 allows SSL to be enabled on multiple sites with same IP (http://www.howtoforge.com/forums/showthread.php?t=59885)

ronee 6th December 2012 07:29

ispconfig 3.0.4.6 allows SSL to be enabled on multiple sites with same IP
 
Currently with ispconfig v3.0.4.6 it is possible to configure more than one site assigned to the same IP with SSL enabled.

If there is a signed cert on one site and a self signed cert on another, the results appear to be inconsistent where the SSL data served is a strange hybrid between the two.

I wanted to mention this as imho, ispconfig should only allow SSL to be enabled on a given site if no other sites assigned to that IP have SSL enabled. Changing the IP of an SSL enabled site should also be restricted so that two sites with SSL enabled are not inadvertently assigned to the same IP.

This is particularly important where multiple users have access to various sites (but not all) on a given server, an accidental or unknowing change of IP by one user on an SSL enabled site can cause issues that are not immediately apparent.

till 6th December 2012 08:39

Quote:

If there is a signed cert on one site and a self signed cert on another, the results appear to be inconsistent where the SSL data served is a strange hybrid between the two.
This depends on the browser that you use. Take a look at wikipedia and search for sni ssl to get a list which browsers support sni.

Beside that, the behaviour of your system depends on the settings that you have made in the ispconfig interface and the things you mentioned above are already avilable, you just have not enabled them. You can disable sni under System > server config > web if you dont want to allow multiple ssl sites on one IP or if you can not ensure that all users use a sni capable browser and you can assign a IP address to one customer if you want to ensure that no other customer uses it.

As a genaral note, I use sni on several customer servers, it workks fine and the results are consistent.

ronee 6th December 2012 12:53

Thanks very much, Till, that makes sense.

One other question about that -- is there a way within ispconfig to control which cert is to be used as the default certificate for those browsers / clients that do not support SNI?

till 6th December 2012 14:40

SNI sites behave the same like non ssl namebased vhosts. So if no domain matches the site(s), the first site in alphabetical order is shown that uses the same IP address. If you want a specific site to be shown first, just change the domain name.

Example the site example.com shall be shown first:

1) Change the domain name example.com in the site settings to 000example.com
2) Add example.com as aliasdomain to the site 000example.com

forgefan 7th August 2013 18:27

Till, with regard to the article about "Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL", is it possible to activate SNI and use the server's IP address for multiple SNI domains?

In other words, in a situation where the server can only have 1 public IP address, is it possible to use the same IP address for both the ISPConfig SSL (for control panel, webmail and phpmyadmin) as well as for additional SNI SSL domains?

till 7th August 2013 20:21

Yes. but This is does not depend on sni as ispconfig listens on a different port.


All times are GMT +2. The time now is 03:57.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.