On Sun, 2 Jan 2005, Peter Stuge wrote: >On Fri, Dec 31, 2004 at 11:38:49AM -0500, Kyle Wheeler wrote: >> How does multiple A records solve the problem? Can an SSL >> certificate list multiple domains it is valid for, maybe? >No, the domain name is in the commonName field and there's no system >for putting multiple domain names there. >Some clients support wildcards, but most do not. >You're completely right that one IP is required per SSL (virtual) >host name.
The host name is listed in the certificate's CN field. The hostname can resolve in DNS to several A records. On each IP, on different hosts perhaps, you can have the same server software running, all servers using the same SSL certificate and private key. So you have load balancing, and you use the same SSL cert on several IP addresses. The most radical thing the client can do is to attempt a reverse lookup of the IP, tracking back the domain name and comparing that to what it found in the certificate. But all IP addresses can reverse map back to the same domain name. Clients will never notice the difference. Example: imaps.example.com resolves to three A records: 10.0.0.1, 10.0.0.2 and 10.0.0.3. You've got three machines, one behind each IP, to balance the load. You have one SSL private key/certificate pair for imaps.example.com. The key and cert are identical on all machines. Along comes a client that looks up imaps.example.com and connects to the first returned IP; let's say 10.0.0.3. The 10.0.0.3 machine responds with its SSL certificate. The client opens the cert, verifies it against its CA bundle and then inspects the CN field. The CN fields contains imaps.example.com, which is good, because that's the host name the client connected to. But just to be sure, the client does a reverse map on 10.0.0.3. It gets imaps.example.com, and that ends the handshake. Andy :-) -- Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg Author of Binc IMAP | "It is better not to do something http://www.bincimap.org/ | than to do it poorly."
