So OpenSSL will look at the domain names in the cert and if one of them matches, the SSL connection is accepted? I am behind the times. Thanks for pointing this out.
/s. > On Aug 16, 2015, at 12:59 PM, Jeff Rogers <dv...@diphi.com> wrote: > > The feature of having multiple certificates served on the same ip/port is > Server Name Indication (SNI) and the nsopenssl driver does not support it. > As you said, getting that to work would require some rewiring. > > However, I think the certificate described by Thorpe was a single certificate > that is valid for multiple domains - Service Alternate Name (SAN), somewhat > similar to a wildcard cert. Since it's just one certificate, it doesn't need > multiple different ips/ports. The downside of a SAN cert is that if any of > the hosts changes, the whole cert needs to be reissued, versus with SNI each > host has its own cert. > > So since it's just one certificate, I think that also means it doesn't need > multiple contexts to be set up. Just set up the single context with the SAN > certificate, and set up the virtual servers as you would for a non-ssl setup. > > -J > > Scott Goodwin wrote: >> I’m fairly certain that you can’t have multiple listeners on the same IP >> address and port number on a NIC simultaneously, even if they’re all >> binding from the same process. All three of the virtual servers below >> are configured to use the same IP address and port number, and the first >> nsopenssl instance to bind to it, ‘owns’ it. The rest get EPERM from the >> operating system. I think the way multiple SSL certificates are bound to >> a single IP address and port: the server listens on the IP and port, and >> looks at the Host header of the incoming connection to determine which >> SSL certificate to use for that particular connection. I don’t think >> AOLserver has the ability to do this today. The other way to do it is to >> create three distinct IP addresses on your NIC and use one for each SSL >> instance. There may be other ways to make this work, but any of them >> will probably require rewiring AOLserver and nsopenssl. >> ------------------------------------------------------------------------------ _______________________________________________ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
