Great! Your client [CCBot/2.0 (http://commoncrawl.org/faq/)] sent the following TLS server name indication extension (RFC 6066) in its ClientHello (negotiated protocol: TLSv1, cipher suite: ECDHE-RSA-AES256-SHA):
In your request, this header was included:
This Web server is running Apache httpd's mod_ssl, linked against a version of OpenSSL with support for TLS extensions. Apache httpd 2.2.12 was the first official release featuring TLS SNI capabilities.
For the current connection (established at Thu Apr 24 21:16:55 UTC 2014),
httpd is assuming that the certificate
with CN=bob.sni.velox.ch is the correct one.
Apache is configured as shown below and uses three certificates,
(kindly provided by QuoVadis),
where CN=alice.sni.velox.ch, CN=bob.sni.velox.ch, and CN=*.sni.velox.ch.
Based on the information your client submitted, the highlighted
VirtualHost has been selected for your viewing pleasure:
Listen 443 # NameVirtualHost is only needed for httpd 2.2.x NameVirtualHost *:443 <VirtualHost *:443> SSLEngine On ServerName alice.sni.velox.ch:443 ServerAlias carol.sni.velox.ch DocumentRoot /var/www/html/alice SSLCertificateFile /etc/pki/tls/certs/alice.sni.velox.ch.crt SSLCertificateKeyFile /etc/pki/tls/private/alice.sni.velox.ch.key # alice.sni.velox.ch.crt has a subjectAltName extension # with two dNSName entries: alice.sni.velox.ch and # carol.sni.velox.ch # Since this VirtualHost is listed first, it's also # the default one and will get selected if none # of the others match </VirtualHost> <VirtualHost *:443> SSLEngine On ServerName bob.sni.velox.ch:443 ServerAlias dave.sni.velox.ch DocumentRoot /var/www/html/bob SSLCertificateFile /etc/pki/tls/certs/bob.sni.velox.ch.crt SSLCertificateKeyFile /etc/pki/tls/private/bob.sni.velox.ch.key # bob.sni.velox.ch.crt has a subjectAltName extension # with two dNSName entries: bob.sni.velox.ch and # dave.sni.velox.ch </VirtualHost> <VirtualHost *:443> SSLEngine On ServerName mallory.sni.velox.ch:443 ServerAlias *.sni.velox.ch ServerAlias sni.velox.ch DocumentRoot /var/www/html/mallory SSLCertificateFile /etc/pki/tls/certs/mallory.sni.velox.ch.crt SSLCertificateKeyFile /etc/pki/tls/private/mallory.sni.velox.ch.key # mallory.sni.velox.ch.crt has a subjectAltName extension # with two dNSName entries: *.sni.velox.ch and # sni.velox.ch # Since it has a wildcard DNS name, it will match for any # VirtualHost below .sni.velox.ch which is not explicitly configured </VirtualHost>
Clicking on the
ServerAlias links should
get you to these VirtualHosts. The
.crt links will show the certificates
in PEM format, preceded by an OpenSSL text dump.
Browsers/clients with support for TLS server name indication:
Last updated 2013-05-08, Kaspar Brand (contact: sni velox ch, insert "@" before and "." after "velox")