# mod_gnutls instead of apache-2.2.4-r11 SSL vhosts?

## jeffk

I recently became aware of mod_gnutls, and it's SNI name-based SSL hosting capability. I'd very much like to try this out, but simply enabling -D GNUTLS on my stock apache-2.2.4-r11 install interferes with the recent vhost changes to the standard apache config. I'd appreciate any insight as to what vhost config to suppress or alter to allow mod_gnutls to do [url url=http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/]its thing[/url]

Thanks.

```
grep OPTS= /etc/conf.d/apache2 

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D SUEXEC -D PROXY -D MIME -D DAV -D DAV_FS -D SVN -D SVN_AUTHZ -D PYTHON -D GNUTLS"
```

```
/etc/init.d/apache2 start

 * Starting apache2 ...

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443

no listening sockets available, shutting down

Unable to open logs
```

Removing -D SSL_DEFAULT_VHOST causes apache to fail without error message:

```
# grep OPTS= /etc/conf.d/apache2 

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SUEXEC -D PROXY -D MIME -D DAV -D DAV_FS -D SVN -D SVN_AUTHZ -D PYTHON -D GNUTLS"

# /etc/init.d/apache2 start

 * Caching service dependencies ...                                        [ ok ]

 * Starting apache2 ...                                                           [ !! ]

# /etc/init.d/apache2 configtest

 * Checking Apache Configuration ...   [ ok ] 
```

The httpd.conf file is the unmodified short form that was introduced recently:

```
# This is a modification of the default Apache 2.2 configuration file

# for Gentoo Linux.

#

# Support:

#   http://www.gentoo.org/main/en/lists.xml   [mailing lists]

#   http://forums.gentoo.org/                 [web forums]

#   irc://irc.freenode.net#gentoo-apache      [irc chat]

#

# Bug Reports:

#   http://bugs.gentoo.org                    [gentoo related bugs]

#   http://httpd.apache.org/bug_report.html   [apache httpd related bugs]

#

#

# This is the main Apache HTTP server configuration file.  It contains the

# configuration directives that give the server its instructions.

# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.

# In particular, see

# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>

# for a discussion of each configuration directive.

#

# Do NOT simply read the instructions in here without understanding

# what they do.  They're here only as hints or reminders.  If you are unsure

# consult the online docs. You have been warned.

#

# Configuration and logfile names: If the filenames you specify for many

# of the server's control files begin with "/" (or "drive:/" for Win32), the

# server will use that explicit path.  If the filenames do *not* begin

# with "/", the value of ServerRoot is prepended -- so "var/log/apache2/foo.log"

# with ServerRoot set to "/usr" will be interpreted by the

# server as "/usr/var/log/apache2/foo.log".

# ServerRoot: The top of the directory tree under which the server's

# configuration, error, and log files are kept.

#

# Do not add a slash at the end of the directory path.  If you point

# ServerRoot at a non-local disk, be sure to point the LockFile directive

# at a local disk.  If you wish to share the same ServerRoot for multiple

# httpd daemons, you will need to change at least LockFile and PidFile.

ServerRoot "/usr/lib/apache2"

# Dynamic Shared Object (DSO) Support

#

# To be able to use the functionality of a module which was built as a DSO you

# have to place corresponding `LoadModule' lines at this location so the

# directives contained in it are actually available _before_ they are used.

# Statically compiled modules (those listed by `httpd -l') do not need

# to be loaded here.

#

# Example:

# LoadModule foo_module modules/mod_foo.so

#

# GENTOO: Automatically defined based on apache2-builtin-mods at compile time

#

# The following modules are considered as the default configuration.

# If you wish to disable one of them, you may have to alter other

# configuration directives.

#

# Change these at your own risk!

LoadModule actions_module modules/mod_actions.so

LoadModule alias_module modules/mod_alias.so

LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule auth_digest_module modules/mod_auth_digest.so

LoadModule authn_anon_module modules/mod_authn_anon.so

LoadModule authn_dbd_module modules/mod_authn_dbd.so

LoadModule authn_dbm_module modules/mod_authn_dbm.so

LoadModule authn_default_module modules/mod_authn_default.so

LoadModule authn_file_module modules/mod_authn_file.so

LoadModule authz_dbm_module modules/mod_authz_dbm.so

LoadModule authz_default_module modules/mod_authz_default.so

LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

LoadModule authz_host_module modules/mod_authz_host.so

LoadModule authz_owner_module modules/mod_authz_owner.so

LoadModule authz_user_module modules/mod_authz_user.so

LoadModule autoindex_module modules/mod_autoindex.so

<IfDefine CACHE>

LoadModule cache_module modules/mod_cache.so

</IfDefine>

LoadModule cgi_module modules/mod_cgi.so

LoadModule cgid_module modules/mod_cgid.so

<IfDefine DAV>

LoadModule dav_module modules/mod_dav.so

</IfDefine>

<IfDefine DAV>

LoadModule dav_fs_module modules/mod_dav_fs.so

</IfDefine>

<IfDefine DAV>

LoadModule dav_lock_module modules/mod_dav_lock.so

</IfDefine>

LoadModule dbd_module modules/mod_dbd.so

LoadModule deflate_module modules/mod_deflate.so

LoadModule dir_module modules/mod_dir.so

<IfDefine CACHE>

LoadModule disk_cache_module modules/mod_disk_cache.so

</IfDefine>

LoadModule env_module modules/mod_env.so

LoadModule expires_module modules/mod_expires.so

LoadModule ext_filter_module modules/mod_ext_filter.so

<IfDefine CACHE>

LoadModule file_cache_module modules/mod_file_cache.so

</IfDefine>

LoadModule filter_module modules/mod_filter.so

LoadModule headers_module modules/mod_headers.so

LoadModule ident_module modules/mod_ident.so

LoadModule imagemap_module modules/mod_imagemap.so

LoadModule include_module modules/mod_include.so

<IfDefine INFO>

LoadModule info_module modules/mod_info.so

</IfDefine>

LoadModule log_config_module modules/mod_log_config.so

LoadModule logio_module modules/mod_logio.so

<IfDefine CACHE>

LoadModule mem_cache_module modules/mod_mem_cache.so

</IfDefine>

LoadModule mime_module modules/mod_mime.so

LoadModule mime_magic_module modules/mod_mime_magic.so

LoadModule negotiation_module modules/mod_negotiation.so

<IfDefine PROXY>

LoadModule proxy_module modules/mod_proxy.so

</IfDefine>

<IfDefine PROXY>

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

</IfDefine>

<IfDefine PROXY>

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

</IfDefine>

<IfDefine PROXY>

LoadModule proxy_connect_module modules/mod_proxy_connect.so

</IfDefine>

<IfDefine PROXY>

LoadModule proxy_http_module modules/mod_proxy_http.so

</IfDefine>

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule setenvif_module modules/mod_setenvif.so

LoadModule speling_module modules/mod_speling.so

<IfDefine INFO>

LoadModule status_module modules/mod_status.so

</IfDefine>

LoadModule unique_id_module modules/mod_unique_id.so

<IfDefine USERDIR>

LoadModule userdir_module modules/mod_userdir.so

</IfDefine>

LoadModule usertrack_module modules/mod_usertrack.so

LoadModule vhost_alias_module modules/mod_vhost_alias.so

<IfDefine LDAP>

LoadModule ldap_module modules/mod_ldap.so

</IfDefine>

<IfDefine AUTH_LDAP>

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

</IfDefine>

<IfDefine SSL>

LoadModule ssl_module modules/mod_ssl.so

</IfDefine>

<IfDefine SUEXEC>

LoadModule suexec_module modules/mod_suexec.so

</IfDefine>

# If you wish httpd to run as a different user or group, you must run

# httpd as root initially and it will switch.

#

# User/Group: The name (or #number) of the user/group to run httpd as.

# It is usually good practice to create a dedicated user and group for

# running httpd, as with most system services.

User apache

Group apache

# Supplemental configuration

#

# Most of the configuration files in the /etc/apache2/modules.d/ directory can

# be turned on using APACHE2_OPTS in /etc/conf.d/apache2 to add extra features

# or to modify the default configuration of the server.

#

# To know which flag to add to APACHE2_OPTS, look at the first line of the

# the file, which will usually be an <IfDefine OPTION> where OPTIONS is the

# flag to use.

Include /etc/apache2/modules.d/*.conf

# Virtual-host support

#

# Gentoo has made using virtual-hosts easy. In /etc/apache2/vhosts.d/ we

# include a default vhost (enabled by adding -D DEFAULT_VHOST to

# APACHE2_OPTS in /etc/conf.d/apache2).

Include /etc/apache2/vhosts.d/*.conf

#

# Gentoo Applications

#

# For Gentoo we include External Application Directory Files.

#

Include /etc/apache2/app/*.conf

# vim: ts=4 filetype=apache
```

the vhost.conf files are stock apache as well:

```
# cat 00_default_vhost.conf 

# Virtual Hosts

#

# If you want to maintain multiple domains/hostnames on your

# machine you can setup VirtualHost containers for them. Most configurations

# use only name-based virtual hosts so the server doesn't need to worry about

# IP addresses. This is indicated by the asterisks in the directives below.

#

# Please see the documentation at

# <URL:http://httpd.apache.org/docs/2.2/vhosts/>

# for further details before you try to setup virtual hosts.

#

# You may use the command line option '-S' to verify your virtual host

# configuration.

<IfDefine DEFAULT_VHOST>

# see bug #178966 why this is in here

# Listen: Allows you to bind Apache to specific IP addresses and/or

# ports, instead of the default. See also the <VirtualHost>

# directive.

#

# Change this to Listen on specific IP addresses as shown below to

# prevent Apache from glomming onto all bound IP addresses.

#

#Listen 12.34.56.78:80

Listen 80

# Use name-based virtual hosting.

NameVirtualHost *:80

# When virtual hosts are enabled, the main host defined in the default

# httpd.conf configuration will go away. We redefine it here so that it is

# still available.

#

# If you disable this vhost by removing -D DEFAULT_VHOST from

# /etc/conf.d/apache2, the first defined virtual host elsewhere will be

# the default.

<VirtualHost *:80>

        Include /etc/apache2/vhosts.d/default_vhost.include

        <IfModule mpm_peruser_module>

                ServerEnvironment apache apache

        </IfModule>

</VirtualHost>

</IfDefine>

# vim: ts=4 filetype=apache
```

```
# cat 00_default_ssl_vhost.conf 

<IfDefine SSL>

<IfDefine SSL_DEFAULT_VHOST>

<IfModule ssl_module>

# see bug #178966 why this is in here

# When we also provide SSL we have to listen to the HTTPS port

# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two

# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"

Listen 443

<VirtualHost _default_:443>

        Include /etc/apache2/vhosts.d/default_vhost.include

        ErrorLog /var/log/apache2/ssl_error_log

        <IfModule log_config_module>

                TransferLog /var/log/apache2/ssl_access_log

        </IfModule>

        ## SSL Engine Switch:

        # Enable/Disable SSL for this virtual host.

        SSLEngine on

        ## SSL Cipher Suite:

        # List the ciphers that the client is permitted to negotiate.

        # See the mod_ssl documentation for a complete list.

        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        ## Server Certificate:

        # Point SSLCertificateFile at a PEM encoded certificate. If the certificate

        # is encrypted, then you will be prompted for a pass phrase. Note that a 

        # kill -HUP will prompt again. Keep in mind that if you have both an RSA

        # and a DSA certificate you can configure both in parallel (to also allow

        # the use of DSA ciphers, etc.)

        SSLCertificateFile /etc/apache2/ssl/server.crt

        #SSLCertificateFile /etc/apache2/ssl/server-dsa.crt

        ## Server Private Key:

        # If the key is not combined with the certificate, use this directive to

        # point at the key file. Keep in mind that if you've both a RSA and a DSA

        # private key you can configure both in parallel (to also allow the use of

        # DSA ciphers, etc.)

        SSLCertificateKeyFile /etc/apache2/ssl/server.key

        #SSLCertificateKeyFile /etc/apache2/ssl/server-dsa.key

        ## Server Certificate Chain:

        # Point SSLCertificateChainFile at a file containing the concatenation of 

        # PEM encoded CA certificates which form the certificate chain for the

        # server certificate. Alternatively the referenced file can be the same as

        # SSLCertificateFile when the CA certificates are directly appended to the

        # server certificate for convinience.

        #SSLCertificateChainFile /etc/apache2/ssl/ca.crt

        ## Certificate Authority (CA):

        # Set the CA certificate verification path where to find CA certificates

        # for client authentication or alternatively one huge file containing all

        # of them (file must be PEM encoded).

        # Note: Inside SSLCACertificatePath you need hash symlinks to point to the

        # certificate files. Use the provided Makefile to update the hash symlinks

        # after changes.

        #SSLCACertificatePath /etc/apache2/ssl/ssl.crt

        #SSLCACertificateFile /etc/apache2/ssl/ca-bundle.crt

        ## Certificate Revocation Lists (CRL):

        # Set the CA revocation path where to find CA CRLs for client authentication

        # or alternatively one huge file containing all of them (file must be PEM 

        # encoded).

        # Note: Inside SSLCARevocationPath you need hash symlinks to point to the

        # certificate files. Use the provided Makefile to update the hash symlinks

        # after changes.

        #SSLCARevocationPath /etc/apache2/ssl/ssl.crl

        #SSLCARevocationFile /etc/apache2/ssl/ca-bundle.crl

        ## Client Authentication (Type):

        # Client certificate verification type and depth. Types are none, optional,

        # require and optional_no_ca. Depth is a number which specifies how deeply

        # to verify the certificate issuer chain before deciding the certificate is

        # not valid.

        #SSLVerifyClient require

        #SSLVerifyDepth  10

        ## Access Control:

        # With SSLRequire you can do per-directory access control based on arbitrary

        # complex boolean expressions containing server variable checks and other

        # lookup directives. The syntax is a mixture between C and Perl. See the

        # mod_ssl documentation for more details.

        #<Location />

        #       #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

        #       and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

        #       and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

        #       and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

        #       and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

        #       or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

        #</Location>

        ## SSL Engine Options:

        # Set various options for the SSL engine.

        ## FakeBasicAuth:

        # Translate the client X.509 into a Basic Authorisation. This means that the

        # standard Auth/DBMAuth methods can be used for access control. The user 

        # name is the `one line' version of the client's X.509 certificate. 

        # Note that no password is obtained from the user. Every entry in the user 

        # file needs this password: `xxj31ZMTZzkVA'.

        ## ExportCertData:

        # This exports two additional environment variables: SSL_CLIENT_CERT and 

        # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server

        # (always existing) and the client (only existing when client 

        # authentication is used). This can be used to import the certificates into

        # CGI scripts.

        ## StdEnvVars:

        # This exports the standard SSL/TLS related `SSL_*' environment variables. 

        # Per default this exportation is switched off for performance reasons, 

        # because the extraction step is an expensive operation and is usually 

        # useless for serving static content. So one usually enables the exportation

        # for CGI and SSI requests only.

        ## StrictRequire:

        # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under

        # a "Satisfy any" situation, i.e. when it applies access is denied and no

        # other module can change it.

        ## OptRenegotiate:

        # This enables optimized SSL connection renegotiation handling when SSL 

        # directives are used in per-directory context.

        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

        <FilesMatch "\.(cgi|shtml|phtml|php)$">

                SSLOptions +StdEnvVars

        </FilesMatch>

        <Directory "/var/www/localhost/cgi-bin">

                SSLOptions +StdEnvVars

        </Directory>

        ## SSL Protocol Adjustments:

        # The safe and default but still SSL/TLS standard compliant shutdown

        # approach is that mod_ssl sends the close notify alert but doesn't wait

        # for the close notify alert from client. When you need a different

        # shutdown approach you can use one of the following variables:

        ## ssl-unclean-shutdown:

        # This forces an unclean shutdown when the connection is closed, i.e. no

        # SSL close notify alert is send or allowed to received.  This violates the

        # SSL/TLS standard but is needed for some brain-dead browsers. Use this when

        # you receive I/O errors because of the standard approach where mod_ssl

        # sends the close notify alert.

        ## ssl-accurate-shutdown:

        # This forces an accurate shutdown when the connection is closed, i.e. a

        # SSL close notify alert is send and mod_ssl waits for the close notify

        # alert of the client. This is 100% SSL/TLS standard compliant, but in

        # practice often causes hanging connections with brain-dead browsers. Use

        # this only for browsers where you know that their SSL implementation works

        # correctly. 

        # Notice: Most problems of broken clients are also related to the HTTP 

        # keep-alive facility, so you usually additionally want to disable 

        # keep-alive for those clients, too. Use variable "nokeepalive" for this.

        # Similarly, one has to force some clients to use HTTP/1.0 to workaround

        # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

        # "force-response-1.0" for this.

        <IfModule setenvif_module>

                BrowserMatch ".*MSIE.*" \

                        nokeepalive ssl-unclean-shutdown \

                        downgrade-1.0 force-response-1.0

        </IfModule>

        ## Per-Server Logging:

        # The home of a custom SSL log file. Use this when you want a compact 

        # non-error SSL logfile on a virtual host basis.

        <IfModule log_config_module>

                CustomLog /var/log/apache2/ssl_request_log \

                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

        </IfModule>

</VirtualHost>

</IfModule>

</IfDefine>

</IfDefine>

# vim: ts=4 filetype=apache
```

----------

## jessekeys

take a look into your /var/log/apache2/error_log which will guide you into the right direction.

I guess your problem is in /etc/apache2/modules.d/47_mod_gnutls.conf as there's already an example vhost configuration inside!

I got it running, some vhosts are still buggy though. Can't figure out why it says

[crit] GnuTLS: Unknown type '0' for SNI: 'vhost.somedomain.org'

on some vhosts and redirects to some other then...

----------

