From owner-freebsd-isp Fri Mar 7 18:37:47 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF0D037B401 for ; Fri, 7 Mar 2003 18:37:45 -0800 (PST) Received: from hub.org (hub.org [64.49.215.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 630A743F75 for ; Fri, 7 Mar 2003 18:37:45 -0800 (PST) (envelope-from excalibur@hub.org) Received: from excalibur.hub.org (u231n71.eastlink.ca [24.222.231.71]) by hub.org (Postfix) with ESMTP id 79D1D94BA36; Fri, 7 Mar 2003 22:37:39 -0400 (AST) Message-Id: <5.2.0.9.0.20030307223533.00a05270@mail.hub.org> X-Sender: excalibur@hub.org@mail.hub.org X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 07 Mar 2003 22:37:59 -0400 To: "Jan Mikkelsen" , From: Chris Bowlby Subject: RE: multiple SSL key's on one IP several Vhosts... In-Reply-To: <001801c2e3df$28a02030$fc5807ca@mosm1> References: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:51 PM 3/6/03 +1100, Jan Mikkelsen wrote: >As someone else wrote, the problem is that the SSL handshake happens >before the HTTP host header is sent by the client saying what it is >after. Because the server DNS name is embedded in the certificate used >in the SSL handshake you are forced into a one to one mapping of virtual >hosts and IP addresses. > >There is a solution: Include the host name in the initial SSL (now TLS) >handshake so the server can choose the right certificate to use during >the TLS negotiation. There is a standards track RFC covering this >(along with a generalised extension mechanism and other stuff) in the >RFC editor's queue. This means that the limitation will be less of an >issue once some portion of the browser population implements the RFC, >which is probably not the timeframe you are after. Hi Jan, Thanks for the update, we are kind of in a hurry for it, but will have to wait until it's looped through the system I guess...thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message