Multiple certificates per domain/host ?

[mailjol]

Hi,

Just wondering whether Litespeed has this niche feature to support multiple certificates per domain/host? Apaches has this. Nginx has it with a patch (soon to be moved to upstream). If nothing else, it allows us to run a RSA (SHA1) + ECDH (SHA256) stack qualifying the requirements of modern browsers while still not abandoning access to legacy clients.

- Akash

 

[mistwang]

We added that capability to OpenLitespeed, soon will be in our Enterprise edition as well.

 

[mailjol]

No love for the standard guys? Just kidding. Glad its in your open source edition at least.

 

[mailjol]

Hi. Just compiled Open Litespeed 1.3.12 and had a quick look inside the admin interface. Everything just seems same to me as the latest Litespeed Std. Will be really glad if you can please point me in right direction to find the above mentioned capability.

 

[mailjol]

Tried 1.4.11 also by compiling it against latest OpenSSL. Modified httpd_config.conf manually with following SSL related entries:

keyFile /httpd/ssl/domain.sha1.key
certFile /httpd/ssl/domain.sha1.crt
keyFile /httpd/ssl/domain.sha2.key
certFile /httpd/ssl/domain.sha2.crt

The configuration does get saved and server gets started successfully but I think it just picks the first certificate only. If the first one in sequence is sha1-rsa, that is what is served to browser irrespective of cipher suite order i have provided in which ecdsa suites come first. Similarly if I put the sha2-ecdsa one at top, it gets served irrespective of which protocol the client is connecting. Ideally if the client is connecting via SSLv3, the server should serve sha1-rsa certificate as ecdsa is a TLS thing. But thats not happening. Similar thing in apache works flawlessly.

 

[mistwang]

It will be supported in our up-coming 1.4.12 release. Sorry for the confusion, we finished coding a while ago but have not release it yet. Will be release in this week.

 

[mailjol]

Thats great. Will be looking forward to it. Eager to try out this functionality.

 

[mailjol]

The new version is already there. Tried it but to no avail. With a configuration like this:

keyFile /httpd/ssl/rsa.sha1.key
certFile /httpd/ssl/rsa.sha1.crt
keyFile /httpd/ssl/ecdsa.sha2.key
certFile /httpd/ssl/ecdsa.sha2.crt
ciphers !aNULL:!eNULL:!EXPORT:-RC4:!DES:!SSLv2:!MD5:!SSLV3:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-RC4-SHA:ECDH-ECDSA-RC4-SHA

It still serves rsa.sha1.crt to the browser even though there is no RSA cipher in the list of ciphers.

 

[mistwang]

The naming is important. you can use
keyFile /httpd/ssl/server.key
certFile /httpd/ssl/server.crt

rename the rsa pair to server.key/crt. then just rename DSA pair to server.key.dsa server.crt.dsa
no need to list the dsa pair in the configuration.

 

[mailjol]

With this setting (enabling just one cipher):

keyFile /httpd/ssl/server.key
certFile /httpd/ssl/server.crt
ciphers !aNULL:!eNULL:!EXPORT:-RC4:!DES:!SSLv2:!MD5:!SSLV3:ECDHE-ECDSA-AES256-GCM-SHA384

root@noname:/httpd# ls -l ssl
total 16
-rw-r--r-- 1 root root 3572 Sep 24 10:07 server.crt
-rw-r--r-- 1 root root 2701 Sep 21 15:16 server.crt.dsa
-rw-r--r-- 1 root root 1704 Sep 21 13:20 server.key
-rw-r--r-- 1 root root 302 Sep 21 13:03 server.key.dsa

with server.crt/key being RSA, it still servers the RSA certificate to the latest chrome browser even though there is no RSA cipher in the list.

 

[mistwang]

There is an option in tuning tab to turn on multi-cert support, do you have it enabled?

The RSA cipher is probably added automatically to make sure the cipher is HTTP/2 ready. You may need to patch source code to turn if off if you want.

 

[mailjol]

I don't see any such option?

 

[mailjol]

?????

 

[mistwang]

It should be added in 1.4.13 release. Mistakenly left out in 1.4.12 release.

 

[mailjol]

Thanks for your update. But I can't see such a option in 1.4.13 either?