On 03-jul-09, at 10:33, Michiel van Es wrote: > I am using firefox 3 and a recent openssl on my server..why is the > newer > method not working for me and I must use the old setup?
As long as you have an OpenSSL library >= 0.9.9, and the client support TLS's SNI everything should work just fine. However, whenever an old browser (without SNI support) accesses your server (let's say an IE 6) the SSL handshake will be perform using the default certificate. The problem is basically the timing: the first a SSL connection does is the handshake between server and client (sending/receiving the certs), and only when the secure connection is stabilised, the browser sends the HTTP request. The main problem is that the server does not know what vserver the client wants to access until it doesn't receive that HTTP request. > I mean: would you find it acceptable if you connect to a server but > got > the wrong SSL certificate (a certificate of another server). What is > the > use of certificates if the name not match? And how would you tell the > difference with a man in the middle attack? It is an issue, indeed. -- Greetings, alo http://www.alobbs.com/ _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
