Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th December 2012, 07:29
ronee ronee is offline
HowtoForge Supporter
 
Join Date: Oct 2006
Posts: 33
Thanks: 0
Thanked 2 Times in 2 Posts
Default ispconfig 3.0.4.6 allows SSL to be enabled on multiple sites with same IP

Currently with ispconfig v3.0.4.6 it is possible to configure more than one site assigned to the same IP with SSL enabled.

If there is a signed cert on one site and a self signed cert on another, the results appear to be inconsistent where the SSL data served is a strange hybrid between the two.

I wanted to mention this as imho, ispconfig should only allow SSL to be enabled on a given site if no other sites assigned to that IP have SSL enabled. Changing the IP of an SSL enabled site should also be restricted so that two sites with SSL enabled are not inadvertently assigned to the same IP.

This is particularly important where multiple users have access to various sites (but not all) on a given server, an accidental or unknowing change of IP by one user on an SSL enabled site can cause issues that are not immediately apparent.
Reply With Quote
Sponsored Links
  #2  
Old 6th December 2012, 08:39
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Quote:
If there is a signed cert on one site and a self signed cert on another, the results appear to be inconsistent where the SSL data served is a strange hybrid between the two.
This depends on the browser that you use. Take a look at wikipedia and search for sni ssl to get a list which browsers support sni.

Beside that, the behaviour of your system depends on the settings that you have made in the ispconfig interface and the things you mentioned above are already avilable, you just have not enabled them. You can disable sni under System > server config > web if you dont want to allow multiple ssl sites on one IP or if you can not ensure that all users use a sni capable browser and you can assign a IP address to one customer if you want to ensure that no other customer uses it.

As a genaral note, I use sni on several customer servers, it workks fine and the results are consistent.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 6th December 2012, 12:53
ronee ronee is offline
HowtoForge Supporter
 
Join Date: Oct 2006
Posts: 33
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Thanks very much, Till, that makes sense.

One other question about that -- is there a way within ispconfig to control which cert is to be used as the default certificate for those browsers / clients that do not support SNI?
Reply With Quote
  #4  
Old 6th December 2012, 14:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

SNI sites behave the same like non ssl namebased vhosts. So if no domain matches the site(s), the first site in alphabetical order is shown that uses the same IP address. If you want a specific site to be shown first, just change the domain name.

Example the site example.com shall be shown first:

1) Change the domain name example.com in the site settings to 000example.com
2) Add example.com as aliasdomain to the site 000example.com
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 7th August 2013, 18:27
forgefan forgefan is offline
Junior Member
 
Join Date: Nov 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Till, with regard to the article about "Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL", is it possible to activate SNI and use the server's IP address for multiple SNI domains?

In other words, in a situation where the server can only have 1 public IP address, is it possible to use the same IP address for both the ISPConfig SSL (for control panel, webmail and phpmyadmin) as well as for additional SNI SSL domains?
Reply With Quote
  #6  
Old 7th August 2013, 20:21
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 36,395
Thanks: 833
Thanked 5,490 Times in 4,322 Posts
Default

Yes. but This is does not depend on sni as ispconfig listens on a different port.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartS Woodsman HOWTO-Related Questions 7 30th March 2012 18:36
how do I install a SSL cert for a website? mangoo General 3 3rd February 2012 12:46
Php include files dme1409 General 2 16th January 2012 09:55
Ftp problems timeout reny2000 General 6 23rd December 2009 11:09
Can't enable SSL for sites in ISPConfig FeraTechInc General 7 7th December 2009 08:22


All times are GMT +2. The time now is 20:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.