Thanks for the follow up. Interesting.

Nathan Andelin


On May 17, 2021, at 1:00 PM, Pete Helgren <pete@xxxxxxxxxx> wrote:

For now....

Been working with IBM on this issue for the past week or so (Man! IBM support is the BEST!)....in any case, this turns out to be a defect (maybe two). Basically, in my case, the first vhost used an ECDSA key type for the certificate and that is because the new DCM defaults to ECDSA. The problem occurs when the following vhosts are also ECDSA key types. For some reason, the first certificate is the "sticky" one and continues to be presented for all remaining vhosts. UNLESS the following vhosts use RSA key types AND also specify SSLServerCert directive.

So, until they figure out a fix and issue a PTF, use only RSA key types for your certificates AND specify a serverCert directive. Or if you have an ECDSA key type for your first cert, then the other must be RSA and specify SSLServerCert.

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek

On 4/2/2021 2:52 PM, Nathan Andelin wrote:
Still on 7.3 here. I’m not at a terminal to check the TR level at the moment.

Nathan Andelin


On Apr 2, 2021, at 12:46 PM, Pete Helgren <pete@xxxxxxxxxx> wrote:

Thanks Nathan. That didn't make a change but it was worth a try. What version of IBM i are you on (7.4 TR2 here)

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek IBM_i_Geek

On 4/1/2021 5:25 PM, Nathan Andelin wrote:
Pete,

My HTTP configuration is very similar to yours; hosting multiple SSL sites.
Except:

I use an IP address assigned by my ISP rather than * on the VirtualHost
directive.
I don't use the SSLServerCert, nor the ProxyPreserveHost directives.

I don't know if it will make a difference, but thought it might be worth a
try.

Nathan.





On Thu, Apr 1, 2021 at 2:01 PM Pete Helgren <pete@xxxxxxxxxx> wrote:

OK...got most of what I needed working on the HTTP server once I
updated PHP, so I added back my SSL certs through DCM. I have 6
vhosts, 3 of which use SSL. These all worked on my 7.2 box. I grabbed
the http.conf files because it worked so well and I didn't want to lose
the config that worked. It no longer does.

What I discovered a few years back that if you want to use SSL in
virtual host configurations, the secret was using these directives (in
my reverse proxy):

<VirtualHost *:443>
ServerName www.website.com
ServerAlias website.com

SSLEngine On
SSLAppName QIBM_HTTP_SERVER_WEBSITE (From SSL config and assigning
certificate to application)
SSLProtocolDisable SSLv2 SSLv3
SSLServerCert "website" (Actual name of certificate label in DCM)

ProxyPreserveHost on

ProxyPass / http://10.0.10.206:5080/
ProxyPassReverse / http://10.0.10.206:5080/

</VirtualHost>

So, I have three of these and they have identical formats except for the
names and the proxy redirects. So, the SSL is fine on website 1. I get
a "Your connection is not private" error on website 2 because it picks
up the cert from website 1. Website 3 is fine.

So, I thought maybe there is something wrong with the certificate. So I
swapped website 1 and 2 in the listing order. Now the original 2nd
website is listed first. Now the "website 2" that is the first vhost
entry is fine but number 1 is in error, complaining this time the
certificate for website 2 (listed first now) is incorrect. It doesn't
seem to be honoring the SSLAppName or SSLServerCert on the second vhost.
Website 3 is still fine.

It is only those two SSL virtual hosts that have this issue. AND, they
were working before. The third website works fine regardless of the
order the virtual host entries are in. Weirder still, even if I get the
error on the cert on the website, I can go to https://www.ssllabs.com
and test the certificate and it returns the correct certificate for the
correct website and an "A" rating.

Anyone seen this before? I am stumped.....

--
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Twitter - Sys_i_Geek IBM_i_Geek

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.