On Oct 18, 2009, at 12:14 PM, Michiel Van Es wrote: > > On Oct 18, 2009, at 1:06 AM, Stefan de Konink wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Michiel van Es schreef: >>> Just out of curiousity: >>> If I get it right, SSL virtual hosting in Cherokee is only >>> available if: >>> >>> - You use a really recent OpenSSL version (self compiled or the >>> latest >>> or use Fedora/FreeBSD - most known Linux distro's won't have the >>> OpenSSL >>> with SNI build in). >> >> Since SNI is there for many years the above staments is /really/ >> invalid. > > Yes but not many distro's use it yet. > I think Ubuntu Jaunty (the one I use use it: > r...@pcintelw01:~# openssl version > OpenSSL 0.9.8g 19 Oct 2007 > > https://launchpad.net/ubuntu/jaunty/+source/openssl/+changelog > (search for tlsext) > > right? > >> >>> - Your clients have to use at least Vista or a recent Firefox >>> (most big >>> organizations still use Windows 2000/XP and IE 7 but not the Vista >>> IE 7 >>> of even Windows 7) >> >> It has to be > IE6; the rest all supports it. And even if you use IE6 >> you will only get the nag screen, everything still works as expected. > > customers hate nag screens ;) > >> >>> I heard a couple of months a go that it would be perhaps possible to >>> implement the 'old' version of virtual hosts with unique ip- >>> adresses and >>> use their own SSL certs/keys. Or at least cherokee project was >>> thinking >>> about offering the old SSL virtual hosting. >>> Is this still going to be implemented or is cherokee the only >>> webserver >>> forcing users to use SNI or run multiple cherokee instances (what is >>> waste of resources) ? >> >> I guess such things are always possible, and might get a speedup if >> organisations that require this behavior get support contracts ;) > > That's gonna be a big one..but we'll see:) > > Another question if I get openssl with tlsext enabled: > > 1) how do I cehck it with the openssl command that I really have it? > 2) how do I set up ssl virtual hosting?
I thin I found it: http://www.cherokee-project.com/doc/config_virtual_servers.html But it states: If you have several virtual servers, the Security section must be configured for every one of them. At the moment you cannot have some with HTTPS and some without. This makes sense, since by enabling the feature in any one of them you are opening the HTTPS port in your host, and receiving HTTPS requests for a virtual server that does not provide the service would not be handled in a coherente manner. None of the alternatives is very elegant in design: falling back to HTTP, issuing an error that is likely to restart the HTTPS handshake, etc. This behavior, however, might change in the future depending on the popularity of any proposed mechanisms. Does that mean I have to enable on every virtual host ssl? supplying them with a certificate? (so if I have to buy a verisign certificate for every virtual host?) What about bulk hosting who want to supply mixed hosts (http and https virtual hosts) ? > > Michiel > > >> >> >> >> Stefan >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.11 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iEYEAREKAAYFAkraThAACgkQYH1+F2Rqwn3mvACcCDqt0PEVC1pNtKaatW0zOoMb >> a9gAn0zUdUzO9Re7vdC/4xIK8oLl4Be2 >> =Xe0o >> -----END PGP SIGNATURE----- > _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
