Home / server / Questions / 396287
In Process
Xiè Jìléi
Asked: 2012-06-07 17:58:44 +0800 CST

SSL over non-standard port?

  • 772

I have two different sites in one server: a.com and b.com.

If I use named virtualhost on ssl port, IE won't work.

So, I decided to use port 444 for SSL for b.com. However, it seems all browsers give error message:

Chrome: Error 107 ssl protocol error
Firefox: Error code: ssl_error_rx_record_too_long
Epiphany: SSL handshake failed

Umm.. I don't know why, but I do have seen some web sites can be accessed like https://example.com:1443.

Or did I miss something?

ports.conf:

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    NameVirtualHost *:444
    Listen 443
    Listen 444
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
    Listen 444
</IfModule>

b.site:

<VirtualHost *:444>
    ServerName  www.b.com:444
    ServerAdmin [email protected]

    LogLevel  error
    ErrorLog  /var/log/apache2/b_error.log
    CustomLog /var/log/apache2/b_access.log combined

    DocumentRoot ...

    <Directory ...>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>

    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/b.crt
    SSLCertificateKeyFile /etc/ssl/private/b.pem

</VirtualHost>

CA config file to generate the certificate:

[ca]
default_ca              = CA_default

[CA_default]
x509_extensions         = root_ca_extensions

[req]
default_bits            = 4096
default_keyfile         = 
distinguished_name      = req_distinguished_name
attributes              = req_attributes
prompt                  = no
x509_extensions         = v3_ca
req_extensions          = v3_req

[req_distinguished_name]
C     = ...
ST   = ..
O     = ...
OU   = ..
CN   = ...
emailAddress        = [email protected]

[req_attributes]

[root_ca_extensions]
basicConstraints        = CA:true

[v3_ca]
basicConstraints        = CA:true

[v3_req]
basicConstraints        = CA:false
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName          = @alt_names

[alt_names]
DNS.1 = b.com
DNS.2 = www.b.com
apache-2.2 port ssl mod-ssl

2 Answers

  1. The answer is yes.

    It's my mistake, I have setup 127.0.0.1 www.b.com in the /etc/hosts. Then, however I change the apache config files in the remote server, my browser always resolves www.b.com to my localhost, where there is a broken certificate.

    • 1

  2. Not 100% sure if this is the problem.. but try to remove the :444 from the ServerName line so it looks like

    ServerName  www.b.com

    The port isn't needed since the browser connects on that port but the host header will still be www.b.com no matter what port is used..

    • 0