У меня есть два виртуальных хоста на основе имени на одном IP. Тест на Qualys SSL LABS на первом виртуальном хосте (по умолчанию) сообщил о несоответствии сертификатов для канонических имен второго виртуального хоста, сообщив, что «этот сайт работает только с поддержкой SNI». Если я отключу второй виртуальный хост, тест заканчивается правильно. Тест, который я сделал openssl s_client, не сообщает о проблеме:
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.mydomain.com
verify return:1
---
Certificate chain
0 s:CN = www.mydomain.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGXTCCBUWgAwIBAgISA9y+4P5bPxkfLq3K4eAzMsYXMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
..............................................................
+/NQyC6DsWJcID5sO7K++GBEl4iyHGQWCHlfY13Vpk8Iz81ov5/hHVtwZSZ60qKD
MRvIfmb9LzBHqdkL/Wjxt7gJC6YtuEYrIoP5+w2vZnLrG2jJCSWj6N8R+vh0Sh8e
qQ==
-----END CERTIFICATE-----
subject=CN = www.mydomain.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3628 bytes and written 401 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 19XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX07
Session-ID-ctx:
Resumption PSK: FXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b6 72 41 25 a1 5f c8 bd-7b 8f fb 8c fc c2 0d f8 .rA%._..{.......
.............................................................................
00f0 - 00 66 31 2a a3 9e 1c 73-95 16 56 b8 71 45 32 cc .f1*...s..V.qE2.
Start Time: 1578821067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: F0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC6
Session-ID-ctx:
Resumption PSK: DXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - b6 72 41 25 a1 5f c8 bd-7b 8f fb 8c fc c2 0d f8 .rA%._..{.......
0010 - 03 94 2e 7e bb e9 58 3d-64 ad 31 73 50 03 5f 91 ...~..X=d.1sP._.
.................................................................................
00f0 - 20 83 7f 51 a0 e7 88 c8-f6 05 23 55 6e e3 34 c6 ..Q......#Un.4.
Start Time: 1578821067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
My default virtualhost has a ServerName www.mydomain.com directive in apache2.conf and its virtualhost file has one too.
The Qualys SSL Labs test for www.mydomain.com reports a `Alternative names www.mysecond-domain.com MISMATCH`.
I don't undestand why Qualys SSL LABS keeps on involving the second virtualhost when i'm testing the default virtualhost.
Regards