From owner-freebsd-isp@FreeBSD.ORG Fri Apr 11 12:32:30 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53D8137B401 for ; Fri, 11 Apr 2003 12:32:30 -0700 (PDT) Received: from mta9.srv.hcvlny.cv.net (mta9.srv.hcvlny.cv.net [167.206.5.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 461B643FA3 for ; Fri, 11 Apr 2003 12:32:29 -0700 (PDT) (envelope-from george@galis.org) Received: from asv6.srv.hcvlny.cv.net (asv6.srv.hcvlny.cv.net [167.206.5.61]) by mta9.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HD700D6C25LZY@mta9.srv.hcvlny.cv.net> for freebsd-isp@FreeBSD.ORG; Fri, 11 Apr 2003 15:29:46 -0400 (EDT) Received: from dynamic.galis.orgasv6.srv.hcvlny.cv.net ; Fri, 11 Apr 2003 15:30:03 -0400 (EDT) Received: (qmail 21246 invoked by uid 1010); Fri, 11 Apr 2003 19:29:59 +0000 Received: (qmail 20511 invoked from network); Fri, 11 Apr 2003 18:13:02 +0000 Received: from gw2000.local (192.168.80.10) by trot.local with SMTP; Fri, 11 Apr 2003 18:13:02 +0000 Received: (qmail 22142 invoked from network); Fri, 11 Apr 2003 18:13:01 +0000 Received: from cyberhenge.net (65.84.93.67) by dynamic.galis.org with SMTP; Fri, 11 Apr 2003 18:13:01 +0000 Received: (qmail 24666 invoked by uid 501); Fri, 11 Apr 2003 18:13:16 +0000 Received: (qmail 24662 invoked from network); Fri, 11 Apr 2003 18:13:16 +0000 Received: from ool-435012f0.dyn.optonline.net (HELO dynamic.galis.org) (67.80.18.240) by us04.cyberhenge.net with SMTP; Fri, 11 Apr 2003 18:13:16 +0000 Received: (qmail 20507 invoked by uid 1010); Fri, 11 Apr 2003 18:13:01 +0000 Resent-date: Fri, 11 Apr 2003 14:13:00 -0400 Resent-date: Fri, 11 Apr 2003 15:29:59 -0400 Date: Fri, 11 Apr 2003 14:07:33 -0400 Resent-From: geo@trot.local Resent-From: geo@trot.local From: George Georgalis In-reply-to: <001801c2e3df$28a02030$fc5807ca@mosm1> Resent-To: george@cyberhenge.net Resent-To: freebsd-isp@FreeBSD.ORG To: Jan Mikkelsen Resent-message-id: <20030411181300.20505.qmail@trot.local> Message-id: <20030411180733.GA20256@trot.local> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.3.28i References: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org> <001801c2e3df$28a02030$fc5807ca@mosm1> cc: freebsd-isp@FreeBSD.ORG Subject: Re: multiple SSL key's on one IP several Vhosts... X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 19:32:30 -0000 Hi - I'm facing a similar situation, and planned to resolve it running multiple apache-ssl invocations that specify their own IP/domain/etc Then this was presented to me, suggesting that one apache-ssl invocation could use IP based vhosting with multiple certs for the same effect but less resources. It's from May 1999, but looks possible since different certs are bing used for different IP/domains; however I have the feeling apache will choke on the second ssl IP. Has anyone used a similar setup or have comments? http://www.apache-ssl.org/httpd.conf.example from the following thread: http://www.lists.aldigital.co.uk/apache-ssl/msg02648.html // George On Thu, Mar 06, 2003 at 11:51:51PM +1100, Jan Mikkelsen wrote: >As someone else wrote, the problem is that the SSL handshake happens >before the HTTP host header is sent by the client saying what it is >after. Because the server DNS name is embedded in the certificate used >in the SSL handshake you are forced into a one to one mapping of virtual >hosts and IP addresses. > >There is a solution: Include the host name in the initial SSL (now TLS) >handshake so the server can choose the right certificate to use during >the TLS negotiation. There is a standards track RFC covering this >(along with a generalised extension mechanism and other stuff) in the >RFC editor's queue. This means that the limitation will be less of an >issue once some portion of the browser population implements the RFC, >which is probably not the timeframe you are after. > >Regards, > >Jan Mikkelsen > > >> -----Original Message----- >> From: owner-freebsd-isp@FreeBSD.ORG >> [mailto:owner-freebsd-isp@FreeBSD.ORG] On Behalf Of Chris Bowlby >> Sent: Thursday, 6 March 2003 2:05 PM >> To: freebsd-isp@freebsd.org >> Subject: multiple SSL key's on one IP several Vhosts... >> >> >> Hi All, >> >> Googling for a result of an issue where I've got more then one SSL >> key I want to enable on a site (one that is certified and one that >> is self signed) I ran across and issue where Multiple key's appear >> to not work on the same IP, is this still the case? even after two >> years? Who's bright Idea was it to tie the SSL key to the IP address >> and domain, and not just the domain? >> >> If anyone has a work around for the this, it would be very useful >> to know (other then more then one IP assigned to the VH, not an >> option as a limitation of jails...) >> >> thanks in advance.. >> -- GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229 Security Services, Web, Mail, mailto:george@galis.org Multimedia, DB, DNS and Metrics. http://www.galis.org/george