View Single Post
  #16  
Old 3rd February 2008, 00:30
swan swan is offline
Junior Member
 
Join Date: Nov 2007
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

anyone got the ServerNameIndication TLS to work on ubuntu (gutsy)?

http://www.how2forge.org/enable-mult...on-debian-etch

i tried pbuilding from apt-get source on ubuntu, stable and unstable etch, and any version of apache i could find a diff for the httpd sni patch, i tried keeping to the version and other versions in the same batch of 2.2.x

but i think the problem (guessing by apache logs warn, init) that openssl was the cause - just doesnt load even tho i _might_ have actually compiled it in both (ie. a-patched apache, but unable to hook onto the version of openssl - that either had tlsext or not). it prolly needed svn version or something that had properly setup in Configure (as i dont think enable-tlsext was enough, or ./config enable-tlsext or even editing Configure manually adding -DOPENSSL_TLSEXT and removing -DOPENSSL_NO_TLSEXT) well all in my case anyway 0.9.8e-g etch-stable/unstable,ubuntu.

i guess everyone will still have to wait for it to become seamlessly stock standard and keep holding off using mod_gnutls, imho, wtf not yet i wonder. i know this isnt really an ISPC issue, but it relates to the thread above and its something to watch out for. ie. wait for seamlessness, or support mod_gnutls in ISPC? *shrug* im for waiting personally..

also for above, its upto you how you look at using the iport ratio, you can smear it all around, but for any n00b reading, yeh trust the docs, and imho you can trust the ISPCrew

question tho, ive removed the ssl 1 per host limit in ISPC (as in the link above), waiting for tlsext but also because you can abuse ratio if you want. so seeing the 1 host make sense (until apache+openssl+tlsext becomes stock) i could see the main profile being sub.domain.xxx, but sadly u cant have domain.xxx, yeh you can have blank/wildcards in other domains under the same profile, but the main profile cant? i know its no problem in the big picture, but its annoying for SSL even if you only kept to the 1 ip limit and wanted to be conventional using https://domain.xxx instead of https://sub.domain.xxx

theres a place holder in the gui for other fields in the ssl cert gen, any chance of adding an option to override the auto default for ssl CN? otherwise i guess ill have to keep manually doing it for now?
Reply With Quote