Oh boy, oh boy. This is not good. I'm thankful that we've had this discussion with you Charles as you've helped me find a major implementation error on our end!
First, the apache documents are wrong -- sort of. Multiple name based virtual ssl servers with one IP is possible with Apache. However, you're limited by the browser and OS. It works if your guests are using firefox, IE7+ on Vista,7,2008 but NOT ON XP, and other browsers. Here's a test site for SNI - https://bob.sni.velox.ch/ Try it with IE using Windows 7 and it's fine. Use XP and you'll get a certificate warning. It shows the httpd.conf file, which is remarkably similar to the sample I provided. Unfortunately, my tests with our production site yields the same (Bad) results. >>And that's simply not true. I don't know where you're getting your information, but it's wrong. I take that back with appologies. It's NOT wrong. It's not 100% right either, but in a real world implementation, I can't see doing it the way we have unless you want to exclude IE users on XP which is nuts. We've got to change that asap. I'm going to suggest having all 3 of our servers moved to one virtual host or at least use the same domain name with a wildcard certificate. I believe that second option will work. I've just got to wonder how many web visitors were affected by this! If we use the wildcard option with 3 hosts, they'll all use the same certificate and as long as it's within the same domain name, we should be ok. For IE on XP, the first virtual host will be the one providing the certificate, but after that the correct virtual host will be used for the https session itself. This is just my theory. We'll see. To reiterate - OUR CURRENT SETUP DOES NOT WORK for all browsers. On Mon, May 31, 2010 at 9:05 PM, K Post <[email protected]> wrote: > I just asked the sysadmin who manages the apache box again about this and > mentioned your point about how clear the apache article is that this can't > be done. > > He's out today for the holiday, but he quickly emailed these links back to > me: > > > http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts#What_is_SNI.3F > http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI > > I though our setup worked universally, but the 2nd article indicates that > it's a browser specific function (including the inability for this to work > on IE on XP - totally useless if that's the case). When I'm back in > mid-June, I'll need to get on that server and which virtual host is first, > as that's what will be served to IE people on xp. That's BAD BAD BAD. > > I don't think our certificates have SANs in them (There's no way we could > afford that as a charity). > > I'll get more info and post it here as soon as I find out. > > > > ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
