On 06-jul-09, at 17:08, Michiel van Es wrote: >> However, whenever an old browser (without SNI support) accesses your >> server (let's say an IE 6) the SSL handshake will be perform using >> the >> default certificate. The problem is basically the timing: the first a >> SSL connection does is the handshake between server and client >> (sending/receiving the certs), and only when the secure connection is >> stabilised, the browser sends the HTTP request. The main problem is >> that >> the server does not know what vserver the client wants to access >> until >> it doesn't receive that HTTP request. >> >>> I mean: would you find it acceptable if you connect to a server >>> but got >>> the wrong SSL certificate (a certificate of another server). What >>> is the >>> use of certificates if the name not match? And how would you tell >>> the >>> difference with a man in the middle attack? >> >> It is an issue, indeed. > > Are you considering to implement the *old* setup? Binding certificates > to an ip-adress?
I did. When I wrote the target_ip plug-in I thought that it'd work.. however, I missed a little detail that rendered it useless for this sort of scenario. I'd agree on implementing the old method as long as it doesn't mess the code. I haven't found to way so far.. so I couldn't tell you for sure. Antonio worked on the cryptor-libssl plug-in for a while, and he is willing to check it out. Let's hope he comes up with some brilliant solution! :-) -- Greetings, alo http://www.alobbs.com/ _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
