{"id":156,"date":"2008-11-25T01:04:20","date_gmt":"2008-11-24T23:04:20","guid":{"rendered":"http:\/\/signal.eu.org\/blog\/?p=156"},"modified":"2008-11-25T01:15:02","modified_gmt":"2008-11-24T23:15:02","slug":"adieu-rfc-2817-bonjour-rfc-3546","status":"publish","type":"post","link":"https:\/\/signal.eu.org\/blog\/2008\/11\/25\/adieu-rfc-2817-bonjour-rfc-3546\/","title":{"rendered":"Adieu RFC 2817, bonjour RFC 3546"},"content":{"rendered":"\n<div class=\"twitter-share\"><a href=\"https:\/\/twitter.com\/intent\/tweet?via=pbeyssac\" class=\"twitter-share-button\">Tweet<\/a><\/div>\n<p>L&#8217;an dernier, ayant lu les docs Apache 2.2 dans un moment d&#8217;\u00e9garement, je parlais des <a href=\"http:\/\/signal.eu.org\/blog\/2007\/09\/07\/http-et-tls-la-rfc-meconnue\/\">extensions RFC 2817 du module SSL<\/a> permettant de ne plus multiplier les adresses IP (maintenant de plus en plus rares en v4) lorsqu&#8217;on h\u00e9berge plusieurs serveurs web s\u00e9curis\u00e9s sur une m\u00eame machine, une plaie avec https. On attendait alors la sortie de Firefox 3.<\/p>\n<p>Celui-ci \u00e9tant maintenant arriv\u00e9 depuis un bon moment, je me suis r\u00e9attaqu\u00e9 ce soir \u00e0 la question, titill\u00e9 par un <a href=\"http:\/\/www.bortzmeyer.org\/plusieurs-noms-dans-certificat.html\">article r\u00e9cent<\/a> de St\u00e9phane consacr\u00e9 \u00e0 la l\u00e9g\u00e8ret\u00e9 proverbiale de X509.<\/p>\n<p><!--more--><\/p>\n<p>Eh bien&#8230; j&#8217;avais tout faux. Firefox 3 <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=276813\">ne supportera pas l&#8217;extension RFC 2817<\/a>, car elle n&#8217;est pas adapt\u00e9e \u00e0 la question. \u00c0 la place, il s&#8217;av\u00e8re que la <a href=\"http:\/\/www.ietf.org\/rfc\/rfc3546.txt\">RFC 3546<\/a> d\u00e9crit l&#8217;extension <em>Server Name Indication<\/em>, qui est non seulement pr\u00e9vue pour cela mais support\u00e9e depuis belle lurette par les navigateurs un peu modernes.<\/p>\n<p>J&#8217;ai donc fait un essai sur <a href=\"https:\/\/www.eu.org\/\">https:\/\/www.eu.org\/<\/a> et <a href=\"https:\/\/eu.org\/\">https:\/\/eu.org\/<\/a> (certificat racine <a href=\"http:\/\/eu.org\/eu.org.crt\">ici<\/a>), et \u00e7a semble marcher au moins avec Firefox 2, Firefox 3 et Konqueror 4 (et en IPv6 s&#8217;il vous pla\u00eet). Il para\u00eet que \u00e7a fonctionne m\u00eame avec <a href=\"http:\/\/www.g-loaded.eu\/2007\/08\/10\/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls\/\">Internet Explorer 7 et Opera 8<\/a> ; il ne manque que Safari.<\/p>\n<p>Il faut tout de m\u00eame installer <a href=\"http:\/\/www.outoforder.cc\/projects\/apache\/mod_gnutls\/\">mod_gnutls<\/a> car mod_ssl <a href=\"http:\/\/www.g-loaded.eu\/2007\/08\/10\/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls\/\">attend la version 0.99 d&#8217;OpenSSL<\/a> pour \u00eatre capable de g\u00e9rer ce genre de n\u00e9gociation.<\/p>\n<p>Les incantations n\u00e9cessaires dans la configuration Apache ne sont pas franchement compliqu\u00e9es :<\/p>\n<pre style=\"padding-left: 30px;\">NameVirtualHost *:443<\/pre>\n<pre style=\"padding-left: 30px;\">&lt;VirtualHost _default_:443&gt;\r\n\u00a0 ServerName eu.org\r\n\u00a0 GnuTLSEnable On\r\n \u00a0GnuTLSKeyFile eu.org.key\r\n \u00a0GnuTLSCertificateFile eu.org.crt\r\n\u00a0 [...]\r\n&lt;\/VirtualHost&gt;<\/pre>\n<pre style=\"padding-left: 30px;\">&lt;VirtualHost _default_:443&gt;\r\n\u00a0 ServerName www.eu.org\r\n\u00a0 GnuTLSEnable On\r\n  GnuTLSKeyFile www.eu.org.key\r\n\u00a0 GnuTLSCertificateFile www.eu.org.crt\r\n\u00a0 [...]\r\n&lt;\/VirtualHost&gt;<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>L&#8217;an dernier, ayant lu les docs Apache 2.2 dans un moment d&#8217;\u00e9garement, je parlais des extensions RFC 2817 du module SSL permettant de ne plus multiplier les adresses IP (maintenant de plus en plus rares en v4) lorsqu&#8217;on h\u00e9berge plusieurs serveurs web s\u00e9curis\u00e9s sur une m\u00eame machine, une plaie avec https. On attendait alors la &hellip; <a href=\"https:\/\/signal.eu.org\/blog\/2008\/11\/25\/adieu-rfc-2817-bonjour-rfc-3546\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Adieu RFC 2817, bonjour RFC 3546<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,7,5,16],"tags":[],"_links":{"self":[{"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/posts\/156"}],"collection":[{"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/comments?post=156"}],"version-history":[{"count":9,"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/posts\/156\/revisions"}],"predecessor-version":[{"id":165,"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/posts\/156\/revisions\/165"}],"wp:attachment":[{"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/media?parent=156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/categories?post=156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/signal.eu.org\/blog\/wp-json\/wp\/v2\/tags?post=156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}