From owner-freebsd-isp@FreeBSD.ORG Thu Apr 17 17:10:15 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57E0C37B401 for ; Thu, 17 Apr 2003 17:10:15 -0700 (PDT) Received: from seven.Alameda.net (seven.alameda.net [64.81.63.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id B74B043FBF for ; Thu, 17 Apr 2003 17:10:14 -0700 (PDT) (envelope-from ulf@Alameda.net) Received: by seven.Alameda.net (Postfix, from userid 1000) id 84C903A239; Thu, 17 Apr 2003 17:10:14 -0700 (PDT) Date: Thu, 17 Apr 2003 17:10:14 -0700 From: Ulf Zimmermann To: "Dave [Hawk-Systems]" Message-ID: <20030417171014.Q92807@seven.alameda.net> References: <20030417124827.N92807@seven.alameda.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from dave@hawk-systems.com on Thu, Apr 17, 2003 at 05:57:10PM -0400 Organization: Alameda Networks, Inc. X-Operating-System: FreeBSD 4.7-RELEASE-p2 cc: freebsd-isp@freebsd.org cc: ulf@Alameda.net Subject: Re: multiple SSL key's on one IP several Vhosts... X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ulf@Alameda.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Apr 2003 00:10:15 -0000 On Thu, Apr 17, 2003 at 05:57:10PM -0400, Dave [Hawk-Systems] wrote: > >> Googling for a result of an issue where I've got more then one SSL key I > >> want to enable on a site (one that is certified and one that is self > >> signed) I ran across and issue where Multiple key's appear to not work on > >> the same IP, is this still the case? even after two years? Who's bright > >> Idea was it to tie the SSL key to the IP address and domain, and not just > >> the domain? > >> > >> If anyone has a work around for the this, it would be very useful to know > >> (other then more then one IP assigned to the VH, not an option as a > >> limitation of jails...) > >> > >> thanks in advance.. > > > >I work at a company where we have many different hosts/domain and > >everything has to be SSL, although the actual application behind it > >is the same. The application does present different layout logo per > >virtual site, but otherwise internal and database wise its the same. > >Managing multiple hosts behind the load balancer with SSL was a pain. > > > >We ended up getting us an Alteon (Nortel) iSD100 setup, which is a > >SSL offloader. For the frontend we already had an Alteon AD3. The > >frontside still has all the different IPs per virtual host, but the > >actual servers only have now 1 IP, one config file with namedbased > >virtualhosts. You can use two AD3 for failover, as well as up to > >32 of the iSD100 in a cluster (there are different models I just > >know the iSD100). Each iSD100 is capable of 7,000 sessions supposely, > >it has two hardware SSL cards in a 1U case. > > from what you describe, you avoid the problem on the web server by moving it to > another physical server/device... but the problem itself (requires 1 unique > IP/port conbination per SSL host) still exists. > > Bottom line, if you only have 1 IP address you can only use 1 SSL cert UNLESS > you start assigning other port combinations per SSL cert... messy at best. > > Dave Correct, with the current implementation of SSL/HTTPS it isn't possible otherwise. I only told about how to avoid at least the management overhead for multiple machines when you do load balancing. The iSD work as a cluster, so configuring a HTTPS server, I only do it on the main management IP. -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html