From owner-freebsd-isp@FreeBSD.ORG Thu Apr 17 14:57:14 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDA3137B401 for ; Thu, 17 Apr 2003 14:57:14 -0700 (PDT) Received: from web1.nexusinternetsolutions.net (web1.nexusinternetsolutions.net [206.47.131.12]) by mx1.FreeBSD.org (Postfix) with SMTP id 08D9C43F75 for ; Thu, 17 Apr 2003 14:57:14 -0700 (PDT) (envelope-from dave@hawk-systems.com) Received: (qmail 62395 invoked from network); 17 Apr 2003 21:57:11 -0000 Received: from unknown (HELO ws1) (24.157.103.51) by web1.nexusinternetsolutions.net with SMTP; 17 Apr 2003 21:57:11 -0000 From: "Dave [Hawk-Systems]" To: , "Chris Bowlby" Date: Thu, 17 Apr 2003 17:57:10 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20030417124827.N92807@seven.alameda.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal cc: freebsd-isp@freebsd.org Subject: RE: multiple SSL key's on one IP several Vhosts... X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Apr 2003 21:57:15 -0000 >> Googling for a result of an issue where I've got more then one SSL key I >> want to enable on a site (one that is certified and one that is self >> signed) I ran across and issue where Multiple key's appear to not work on >> the same IP, is this still the case? even after two years? Who's bright >> Idea was it to tie the SSL key to the IP address and domain, and not just >> the domain? >> >> If anyone has a work around for the this, it would be very useful to know >> (other then more then one IP assigned to the VH, not an option as a >> limitation of jails...) >> >> thanks in advance.. > >I work at a company where we have many different hosts/domain and >everything has to be SSL, although the actual application behind it >is the same. The application does present different layout logo per >virtual site, but otherwise internal and database wise its the same. >Managing multiple hosts behind the load balancer with SSL was a pain. > >We ended up getting us an Alteon (Nortel) iSD100 setup, which is a >SSL offloader. For the frontend we already had an Alteon AD3. The >frontside still has all the different IPs per virtual host, but the >actual servers only have now 1 IP, one config file with namedbased >virtualhosts. You can use two AD3 for failover, as well as up to >32 of the iSD100 in a cluster (there are different models I just >know the iSD100). Each iSD100 is capable of 7,000 sessions supposely, >it has two hardware SSL cards in a 1U case. from what you describe, you avoid the problem on the web server by moving it to another physical server/device... but the problem itself (requires 1 unique IP/port conbination per SSL host) still exists. Bottom line, if you only have 1 IP address you can only use 1 SSL cert UNLESS you start assigning other port combinations per SSL cert... messy at best. Dave