From owner-freebsd-isp Thu Mar 6 4:54:30 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B26D437B401 for ; Thu, 6 Mar 2003 04:54:28 -0800 (PST) Received: from mail.transactionware.com (mail.transactionware.com [203.14.245.7]) by mx1.FreeBSD.org (Postfix) with SMTP id CCCFA43FAF for ; Thu, 6 Mar 2003 04:54:26 -0800 (PST) (envelope-from janm@transactionware.com) Received: (qmail 94288 invoked from network); 6 Mar 2003 12:54:45 -0000 Received: from new.transactionware.com (192.168.1.55) by dm.transactionware.com with SMTP; 6 Mar 2003 12:54:45 -0000 Received: (qmail 61311 invoked by uid 1006); 6 Mar 2003 12:53:36 -0000 Received: from janm@transactionware.com by new.transactionware.com by uid 1003 with qmail-scanner-1.10 (uvscan: v4.1.40/v4249. . Clear:0. Processed in 0.375963 secs); 06 Mar 2003 12:53:36 -0000 Received: from mosm1.transactionware.com (HELO mosm1) (192.168.1.130) by new.transactionware.com with SMTP; 6 Mar 2003 12:53:35 -0000 From: "Jan Mikkelsen" To: "'Chris Bowlby'" , Subject: RE: multiple SSL key's on one IP several Vhosts... Date: Thu, 6 Mar 2003 23:51:51 +1100 Organization: Transactionware Message-ID: <001801c2e3df$28a02030$fc5807ca@mosm1> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As someone else wrote, the problem is that the SSL handshake happens before the HTTP host header is sent by the client saying what it is after. Because the server DNS name is embedded in the certificate used in the SSL handshake you are forced into a one to one mapping of virtual hosts and IP addresses. There is a solution: Include the host name in the initial SSL (now TLS) handshake so the server can choose the right certificate to use during the TLS negotiation. There is a standards track RFC covering this (along with a generalised extension mechanism and other stuff) in the RFC editor's queue. This means that the limitation will be less of an issue once some portion of the browser population implements the RFC, which is probably not the timeframe you are after. Regards, Jan Mikkelsen > -----Original Message----- > From: owner-freebsd-isp@FreeBSD.ORG > [mailto:owner-freebsd-isp@FreeBSD.ORG] On Behalf Of Chris Bowlby > Sent: Thursday, 6 March 2003 2:05 PM > To: freebsd-isp@freebsd.org > Subject: multiple SSL key's on one IP several Vhosts... > > > Hi All, > > Googling for a result of an issue where I've got more then > one SSL key I > want to enable on a site (one that is certified and one that is self > signed) I ran across and issue where Multiple key's appear to > not work on > the same IP, is this still the case? even after two years? > Who's bright > Idea was it to tie the SSL key to the IP address and domain, > and not just > the domain? > > If anyone has a work around for the this, it would be very > useful to know > (other then more then one IP assigned to the VH, not an option as a > limitation of jails...) > > thanks in advance.. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message