RE: VeriSign keys.

Airey, John Wed, 17 May 2000 23:19:33 -0700
Once again the chicken and egg problem is not properly understood. SSL
virtual hosts MUST be IP based. It has nothing to do with DNS being hacked.

In a nutshell, the SSL connection must be set up before the http 1.1 headers
stating which host is required are sent. Therefore, you cannot have multiple
domains, server names etc on one IP as the server will have to connect you
to one of the servers BEFORE it knows which one you have asked for.

Personally, I think this is a good thing. It ensures ALL data is encrypted.

John


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 16 May 2000 15:20
To: [EMAIL PROTECTED]; Steve Fairhead
Subject: RE: VeriSign keys.


Addressed to: [EMAIL PROTECTED]
              "Steve Fairhead" <[EMAIL PROTECTED]>

** Reply to note from "Steve Fairhead" <[EMAIL PROTECTED]> Tue, 16 May
2000 00:43:19 +0100
>   
> LENGLART Benjamin [[EMAIL PROTECTED]] said:
>   
> >> place a SSLCertificateKeyfile and a SSLCertificatePrivateKey (must look
> like that, not sure of the grammar) in each of your virtual host ...
> (the good one naturally) Woops it works !!! <<
>   
> .... but mustn't they also be IP-based rather than name-based?
>   

That is a reccomendation, not a requirement.  The reason for it, I
belive is to allow the web server to start even if DNS is not operating.
(For example if all your servers go down in a power failure and the DNS
server takes longer to boot than the web server.)  IP based VirtualHost
entries will still work, name based entries will go thru slow, painful
DNS lookup attempts, and finaly fail. (After about 30 sec for each
VirtualHost.)

There are other alternatives like adding the names to /etc/hosts or
running a slave DNS server on the web server to make sure there is
something to answer the DNS requests as Apache starts. Or you can do it
the easy way and just list the IP addresses in httpd.conf. (Or where
ever you keep your virtual host declarations.)


Rick

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
RE: VeriSign keys.

Reply via email to
