Alvaro Lopez Ortega wrote: > On 06-jul-09, at 17:08, Michiel van Es wrote: > >>> However, whenever an old browser (without SNI support) accesses your >>> server (let's say an IE 6) the SSL handshake will be perform using the >>> default certificate. The problem is basically the timing: the first a >>> SSL connection does is the handshake between server and client >>> (sending/receiving the certs), and only when the secure connection is >>> stabilised, the browser sends the HTTP request. The main problem is that >>> the server does not know what vserver the client wants to access until >>> it doesn't receive that HTTP request. >>> >>>> I mean: would you find it acceptable if you connect to a server but got >>>> the wrong SSL certificate (a certificate of another server). What is >>>> the >>>> use of certificates if the name not match? And how would you tell the >>>> difference with a man in the middle attack? >>> >>> It is an issue, indeed. >> >> Are you considering to implement the *old* setup? Binding certificates >> to an ip-adress? > > > I did. When I wrote the target_ip plug-in I thought that it'd work.. > however, I missed a little detail that rendered it useless for this sort > of scenario. > > I'd agree on implementing the old method as long as it doesn't mess the > code. I haven't found to way so far.. so I couldn't tell you for sure. > > Antonio worked on the cryptor-libssl plug-in for a while, and he is > willing to check it out. Let's hope he comes up with some brilliant > solution! :-)
That sounds amazing and would be a real help for my situation! :-) > > -- > Greetings, alo > http://www.alobbs.com/ Kind regards, Michiel > _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
