“使用默认虚拟主机”和“使用正确命名的虚拟主机”之间有什么不同?

“使用默认虚拟主机”和“使用正确命名的虚拟主机”之间有什么不同?

结论:我认为我在编译 apache 时没有匹配到 openssl 版本。现在可以正常工作了;我使用已安装的 openssl 重新编译了它。谢谢你的帮助,Unbeliever。

附加信息:我从 tomcat 连接器中的 server.xml 中找出了另一个相关设置。因此,当域错误时,tomcat 会处理每个部分,而域没有错误时,tomcat 和 apache 会同时处理,这可能是 openssl 版本不同造成的问题。

...或不。


我知道这个问题很奇怪,但我无法想象其中的区别。


基本信息:

服务器在 http:// 连接中正常工作。(域名:test.domain.com)(Apache 2.2.31(使用 openssl 1.0.1u 编译),Tomcat(6.0.35,之前已经安装)

我已经拥有用于 https:// 连接的 *.domain.com 认证,并且已经在 'service.domain.com' 中使用它,因此“https:// service.domain.com”在其他服务器/机器/IP 上也可以正常工作

最后,我尝试为“ test.domain.com ”安装 SSL 以允许 https:// 连接。


问题:

我发现..

如果我错误地设置了'.conf',

#Wrong.conf
<VirtualHost *:443>
    ServerName testy.domain.com #whatever, but not 'test.domain.com' 
    ....
</VirtualHost *:443>

当我连接 https:// test.domain.com 时可以正常工作。(它将使用默认的 VirtualHost;只有一个 *:443,当我删除该虚拟主机时,出现错误并且无法连接。)没有问题,我获得了完美的连接和认证,并且我可以阅读我想要的网页。

但是,如果我“正确”设置了'.conf'

#Correct.conf
<VirtualHost *:443>
    ServerName test.domain.com
    ...
</VirtualHost *:443>

并且我无法连接 https://test.domain.com。

当我使用其他工具(例如 curl -verbose)检查时,会得到详细信息,

当我使用 curl 和 #Wrong.conf 时

* TLSv1.2 (OUT), TLS handshake, Client hello (1)
* TLSv1.2 (IN), TLS handshake, Server hello (2)
* TLSv1.2 (IN), TLS handshake, Certificate ....
....
(and succeed)

当我使用 curl 和 #Correct.conf 时

* TLSv1.2 (OUT), TLS handshake, Client hello (1)
* Unknown SSL protocol error in connection to test.domain.com:443
* Curl_http_done: called premature == 1
0  0  0  0  0  0  0  0  --:--:-- --:--:-- --:--:--  0
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to test.domain.com:443

其他部分,如“IP”,“TCP_NODELAY”,甚至密码选择和 CAfile 完全相同(经过仔细检查,我没有改变)


那么,回到第一个问题,

使用“默认虚拟主机”和“正确命名的虚拟主机”有什么区别吗?

还有什么建议吗?


更新:

我很抱歉给您带来不便。

当它作品错误的.conf apachectl -S 显示......

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80     is a NameVirtualHost
    default server what.test.domain.com (/holy/apache/conf/httpd.conf:573)
    port 80 namevhost what.test.domain.com (/holy/apache/conf/httpd.conf:573)
    port 80 namevhost whatever.test.domain.com (/holy/apache/conf/httpd.conf:580)
    ...
    port 80 namvevhost test.domain.com (/holy/apache/conf/httpd.conf:615)
*:443    is a NameVirtualHost
    default server testy.domain.com (/holy/apache/conf/httpd.conf:541)
    port 443 namevhost testy.domain.com (/holy/apache/conf/httpd.conf:541) 
Syntax OK

当它不起作用正确的.conf apachectl -S 显示......

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80     is a NameVirtualHost
    default server what.test.domain.com (/holy/apache/conf/httpd.conf:573)
    port 80 namevhost what.test.domain.com (/holy/apache/conf/httpd.conf:573)
    port 80 namevhost whatever.test.domain.com (/holy/apache/conf/httpd.conf:580)
    ...
    port 80 namvevhost test.domain.com (/holy/apache/conf/httpd.conf:615)
*:443    is a NameVirtualHost
    default server test.domain.com (/holy/apache/conf/httpd.conf:541)
    port 443 namevhost test.domain.com (/holy/apache/conf/httpd.conf:541) 
Syntax OK

我没有为此制作两个 .conf,但我只是手动更改了 ServerName(因此其他区域没有区别。)


更新:日志

抱歉来晚了。我终于找到这个问题的一些不同之处了。谢谢你,Unbeliever。

在“工作场景”中,我可以看到我所想象的

[debug] ssl_engine_kernel.c(1961): [client (**My IP**)] No matching SSL virtual host for servername test.domain.com found (using default/first virtual host)
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 read client hello A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write server hello A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write change cipher spec A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write finished A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 flush data

...

[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 read finished A
[debug] ssl_engine_kernel.c(1838): OpenSSL: Handshake: done
[info] Connection: Client IP: (**My IP**), Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

但我发现“不起作用的场景”中有很多可疑的部分。

1)从双重握手开始。

[info] [client (**My IP**)] Connection to child 0 established (server test.domain.com:443)
[info] [client (**My IP**)] Connection to child 1 established (server test.domain.com:443)
[info] Seeding PRNG with 144 bytes of entropy
[info] Seeding PRNG with 144 bytes of entropy
[debug] ssl_engine_kernel.c(1834): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: before/accept initialization
[debug] ssl_engine_kernel.c(1834): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: before/accept initialization

2)部分成功握手(此日志来自工作场景)

[debug] ssl_engine_kernel.c(1961): [client (**My IP**)] No matching SSL virtual host for servername test.domain.com found (using default/first virtual host)
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 read client hello A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write server hello A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write change cipher spec A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write finished A
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 flush data
[info] [client (**My IP**)] Connection to child 4 established (server **testy**.domain.com:443)

3)许多分段错误

[notice] child pid 4683 exit signal Segmentation fault (11)
[notice] child pid 4684 exit signal Segmentation fault (11)
[notice] child pid 4685 exit signal Segmentation fault (11)
[notice] child pid 4686 exit signal Segmentation fault (11)
[notice] child pid 4687 exit signal Segmentation fault (11)

4)代理日志

[debug] proxy_util.c(1901): proxy: grabbed scoreboard slot 0 in child 4727 for worker proxy:reverse
[debug] proxy_util.c(1921): proxy: worker proxy:reverse already initialized
[debug] proxy_util.c(2017): proxy: initialized single connection worker 0 in child 4727 for (*)
[info] [client (**My IP**)] Connection to child 5 established (server test.domain.com:443)
[info] Seeding PRNG with 144 bytes of entropy
[debug] proxy_util.c(1901): proxy: grabbed scoreboard slot 0 in child 4728 for worker proxy:reverse
[debug] proxy_util.c(1921): proxy: worker proxy:reverse already initialized
[debug] proxy_util.c(2017): proxy: initialized single connection worker 0 in child 4728 for (*)
[notice] child pid 4727 exit signal Segmentation fault (11)
[debug] proxy_util.c(1901): proxy: grabbed scoreboard slot 0 in child 4729 for worker proxy:reverse
[debug] proxy_util.c(1921): proxy: worker proxy:reverse already initialized
[debug] proxy_util.c(2017): proxy: initialized single connection worker 0 in child 4729 for (*)

相关内容