From owner-freebsd-isp Wed Mar 5 22:32:11 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B44C237B401 for ; Wed, 5 Mar 2003 22:32:10 -0800 (PST) Received: from doc.metva.com.au (c16477.brasd1.vic.optusnet.com.au [210.49.152.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 87FAD43FB1 for ; Wed, 5 Mar 2003 22:32:07 -0800 (PST) (envelope-from enno@doc.metva.com.au) Received: by doc.metva.com.au (Postfix, from userid 1003) id A1484D78CAF; Thu, 6 Mar 2003 17:32:08 +1100 (EST) Date: Thu, 6 Mar 2003 17:32:08 +1100 From: Enno Davids To: Chris Bowlby Cc: freebsd-isp@FreeBSD.ORG Subject: Re: multiple SSL key's on one IP several Vhosts... Message-ID: <20030306063208.GR589@doc.metva.com.au> References: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Mar 05, 2003 at 11:05:12PM -0400, Chris Bowlby wrote: |Hi All, | | Googling for a result of an issue where I've got more then one SSL key I |want to enable on a site (one that is certified and one that is self |signed) I ran across and issue where Multiple key's appear to not work on |the same IP, is this still the case? even after two years? Who's bright |Idea was it to tie the SSL key to the IP address and domain, and not just |the domain? Actually its a chicken and egg problem. Namely as the cert is in the middle of the public key crypto exchange of session keys (vastly oversimplified) you have to be able to decide which cert to use to decrypt the incoming SSL without being able to read the host header in the request because its part of the encyprted payload. As the host header determines which VH is to answer and hence which cert it has to use this makes things 'hard'. So... one cert per VH and the VH has to be on a unique IP address/port pair. Life's like that. Enno. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message