Date: Thu, 6 Mar 2003 23:51:51 +1100 From: "Jan Mikkelsen" <janm@transactionware.com> To: "'Chris Bowlby'" <excalibur@hub.org>, <freebsd-isp@freebsd.org> Subject: RE: multiple SSL key's on one IP several Vhosts... Message-ID: <001801c2e3df$28a02030$fc5807ca@mosm1> In-Reply-To: <5.2.0.9.0.20030305230242.00a18200@mail.hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
As someone else wrote, the problem is that the SSL handshake happens before the HTTP host header is sent by the client saying what it is after. Because the server DNS name is embedded in the certificate used in the SSL handshake you are forced into a one to one mapping of virtual hosts and IP addresses. There is a solution: Include the host name in the initial SSL (now TLS) handshake so the server can choose the right certificate to use during the TLS negotiation. There is a standards track RFC covering this (along with a generalised extension mechanism and other stuff) in the RFC editor's queue. This means that the limitation will be less of an issue once some portion of the browser population implements the RFC, which is probably not the timeframe you are after. Regards, Jan Mikkelsen > -----Original Message----- > From: owner-freebsd-isp@FreeBSD.ORG > [mailto:owner-freebsd-isp@FreeBSD.ORG] On Behalf Of Chris Bowlby > Sent: Thursday, 6 March 2003 2:05 PM > To: freebsd-isp@freebsd.org > Subject: multiple SSL key's on one IP several Vhosts... > > > Hi All, > > Googling for a result of an issue where I've got more then > one SSL key I > want to enable on a site (one that is certified and one that is self > signed) I ran across and issue where Multiple key's appear to > not work on > the same IP, is this still the case? even after two years? > Who's bright > Idea was it to tie the SSL key to the IP address and domain, > and not just > the domain? > > If anyone has a work around for the this, it would be very > useful to know > (other then more then one IP assigned to the VH, not an option as a > limitation of jails...) > > thanks in advance.. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001801c2e3df$28a02030$fc5807ca>