Date: Thu, 6 Mar 2003 17:32:08 +1100 From: Enno Davids <enno@doc.metva.com.au> To: Chris Bowlby <excalibur@hub.org> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: multiple SSL key's on one IP several Vhosts... Message-ID: <20030306063208.GR589@doc.metva.com.au> In-Reply-To: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org> References: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 05, 2003 at 11:05:12PM -0400, Chris Bowlby wrote: |Hi All, | | Googling for a result of an issue where I've got more then one SSL key I |want to enable on a site (one that is certified and one that is self |signed) I ran across and issue where Multiple key's appear to not work on |the same IP, is this still the case? even after two years? Who's bright |Idea was it to tie the SSL key to the IP address and domain, and not just |the domain? Actually its a chicken and egg problem. Namely as the cert is in the middle of the public key crypto exchange of session keys (vastly oversimplified) you have to be able to decide which cert to use to decrypt the incoming SSL without being able to read the host header in the request because its part of the encyprted payload. As the host header determines which VH is to answer and hence which cert it has to use this makes things 'hard'. So... one cert per VH and the VH has to be on a unique IP address/port pair. Life's like that. Enno. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030306063208.GR589>