From owner-freebsd-questions@FreeBSD.ORG Fri Apr 30 13:30:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 077D616A4CE for ; Fri, 30 Apr 2004 13:30:39 -0700 (PDT) Received: from hobbiton.shire.net (hobbiton.shire.net [206.71.64.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF60843D31 for ; Fri, 30 Apr 2004 13:30:38 -0700 (PDT) (envelope-from chad@shire.net) Received: from [67.161.247.57] (helo=[192.168.99.66]) by hobbiton.shire.net with asmtp (TLSv1:RC4-SHA:128) (Exim 4.10) id 1BJeeb-000HGm-00 for freebsd-questions@freebsd.org; Fri, 30 Apr 2004 14:30:38 -0600 Mime-Version: 1.0 (Apple Message framework v613) In-Reply-To: <4092B268.1010307@elvandar.org> References: <20040430051944.GA28108@skytrackercanada.com> <20040430103917.GA7205@lb.tenfour> <409232EE.6020800@elvandar.org> <4092B268.1010307@elvandar.org> Message-Id: <3B91A035-9AE5-11D8-97F0-003065A70D30@shire.net> From: "Chad Leigh -- Shire.Net LLC" Date: Fri, 30 Apr 2004 14:30:34 -0600 To: FreeBSD Questions X-Mailer: Apple Mail (2.613) Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on hobbiton.shire.net X-Spam-Status: No, hits=-0.0 required=5.0 tests=BAYES_44 autolearn=no version=2.60 X-Spam-Level: Subject: Re: two domain names - one IP - both SSL X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2004 20:30:39 -0000 On Apr 30, 2004, at 2:09 PM, Remko Lodder wrote: > Heya, > >> Your HTTP client is broken and isn't checking SSL certificates >> correctly? Or you didn't meet the "one IP" requirement of the original >> poster. Or you served up the same SSL certificate for every vhost. > > Well it's not a real cert. indeed, i cannot afford that, and true, > it's the same certificate for every vhost i used. > >> HTTPS establishes an SSL connection with the server prior to _any_ >> HTTP >> conversation. Since SSL requires a certificate which is linked to the >> server host name, and the virtual host name hasn't been transmitted by >> the client yet, there's no way short of ESP for the server to tell >> which >> SSL certificate to use. There's a detailed explanation on the apache >> website; but this isn't an apache failing so much as a general issue >> with HTTP/SSL. > > Well, i keep wondering then how i got my secure webmail online, secure > ids viewing etc. (different hostnames on the same ip adres, (i only > have one ip addr)). > Your client is not checking or is set to ignore certificate problems, or you could have a wildcard certificate that will match any hosts in the domain name... (But wildcard certs are generally expensive so I doubt that). A wildcard cert for *.yourdomain.com would match webmail.yourdomain.com and www.yourdomain.com equally... Chad