Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Apr 2003 14:07:33 -0400
From:      George Georgalis <georgw@galis.org>
To:        Jan Mikkelsen <janm@transactionware.com>
Cc:        freebsd-isp@FreeBSD.ORG
Subject:   Re: multiple SSL key's on one IP several Vhosts...
Message-ID:  <20030411180733.GA20256@trot.local>
Resent-Message-ID: <20030411181300.20505.qmail@trot.local>
In-Reply-To: <001801c2e3df$28a02030$fc5807ca@mosm1>
References:  <5.2.0.9.0.20030305230242.00a18200@mail.hub.org> <001801c2e3df$28a02030$fc5807ca@mosm1>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi - 

I'm facing a similar situation, and planned to resolve it running
multiple apache-ssl invocations that specify their own IP/domain/etc

Then this was presented to me, suggesting that one apache-ssl invocation
could use IP based vhosting with multiple certs for the same effect but
less resources.

It's from May 1999, but looks possible since different certs are bing
used for different IP/domains; however I have the feeling apache will
choke on the second ssl IP. Has anyone used a similar setup or have
comments?

http://www.apache-ssl.org/httpd.conf.example
from the following thread:
http://www.lists.aldigital.co.uk/apache-ssl/msg02648.html

// George

On Thu, Mar 06, 2003 at 11:51:51PM +1100, Jan Mikkelsen wrote:
>As someone else wrote, the problem is that the SSL handshake happens
>before the HTTP host header is sent by the client saying what it is
>after.  Because the server DNS name is embedded in the certificate used
>in the SSL handshake you are forced into a one to one mapping of virtual
>hosts and IP addresses.
>
>There is a solution:  Include the host name in the initial SSL (now TLS)
>handshake so the server can choose the right certificate to use during
>the TLS negotiation.  There is a standards track RFC covering this
>(along with a generalised extension mechanism and other stuff) in the
>RFC editor's queue.  This means that the limitation will be less of an
>issue once some portion of the browser population implements the RFC,
>which is probably not the timeframe you are after.
>
>Regards,
>
>Jan Mikkelsen
>
>
>> -----Original Message-----
>> From: owner-freebsd-isp@FreeBSD.ORG 
>> [mailto:owner-freebsd-isp@FreeBSD.ORG] On Behalf Of Chris Bowlby
>> Sent: Thursday, 6 March 2003 2:05 PM
>> To: freebsd-isp@freebsd.org
>> Subject: multiple SSL key's on one IP several Vhosts...
>> 
>> 
>> Hi All,
>> 
>>   Googling for a result of an issue where I've got more then one SSL
>> key I want to enable on a site (one that is certified and one that
>> is self signed) I ran across and issue where Multiple key's appear
>> to not work on the same IP, is this still the case? even after two
>> years?  Who's bright Idea was it to tie the SSL key to the IP address
>> and domain, and not just the domain?
>>
>>   If anyone has a work around for the this, it would be very useful
>> to know (other then more then one IP assigned to the VH, not an
>> option as a limitation of jails...)
>>
>> thanks in advance..
>> 

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george@galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030411180733.GA20256>