-------- Original Message -------- Subject: Re: [Cherokee] question about several ssl enabled virtual hosts From: Alvaro Lopez Ortega <[email protected]> To: Michiel van Es <[email protected]> Date: 07/03/2009 11:12 AM
> On 03-jul-09, at 10:33, Michiel van Es wrote: > >> I am using firefox 3 and a recent openssl on my server..why is the newer >> method not working for me and I must use the old setup? > > As long as you have an OpenSSL library >= 0.9.9, and the client support > TLS's SNI everything should work just fine. Hmm I found out I got a patched 0.9.8b-*patch number* version..so it won't work for me.. > > However, whenever an old browser (without SNI support) accesses your > server (let's say an IE 6) the SSL handshake will be perform using the > default certificate. The problem is basically the timing: the first a > SSL connection does is the handshake between server and client > (sending/receiving the certs), and only when the secure connection is > stabilised, the browser sends the HTTP request. The main problem is that > the server does not know what vserver the client wants to access until > it doesn't receive that HTTP request. > >> I mean: would you find it acceptable if you connect to a server but got >> the wrong SSL certificate (a certificate of another server). What is the >> use of certificates if the name not match? And how would you tell the >> difference with a man in the middle attack? > > It is an issue, indeed. Are you considering to implement the *old* setup? Binding certificates to an ip-adress? > > -- > Greetings, alo > http://www.alobbs.com/ Regards, Michiel > _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
