On Thu, Jul 13, 2000 at 09:09:11AM +0100, David Leeson wrote:
>
> However I have a requirement for a single Apache/SSL server to
> handle multiple domains with the same IP address. I have set up
> the appropriate CNAMEs in DNS, but how can I split out different
> domains going to the same web server/IP/port? And how can I set
> up different certs for each domain.
(This is answered in the FAQ... but I'll save you the RTFM this
time: http://www.modssl.org/docs/2.6/ssl_faq.html#vhosts)
Basically you can't do this - it will alway end up giving you
browsers barfing about certificate common names not matching server
server names. If you take a look at the drawing of an SSL session:
http://www.modssl.org/docs/2.6/ssl_intro.html#ToC12
Then you should think about that as all that has to take place
before any of the HTTP headers can be sent... A very basic (Excess
fluff removed) HTTP header from the client would look like this:
Host: www.foo-bar.com
GET /index.html HTTP/1.0
Then the server will read the Host header and use it to determine
which vhost to pass the request on to - but then you're in trouble
because that is long after the server sent its certificate.
A less than optimal solution could be to get a wildcard certificate
(if anyone are still willing to sell them) which would give you
a cert with *.foo-bar.com in the CN, which would match for any
host in the foo-bar.com domain ... currently the trouble with that
approach is that somewhere in the 5.x series of MSIE that suddenly
became illegal for a couple of versions, but AFAIK M$ admitted that
was a bug and has put it back in the latest SP's and new versions.
[SNIP]
>
> If its an RTFM, mads, please tell me gently ;-)
>
Is that gentle enough for you?
If you knew me (and the five pound LART I've got hanging on the wall ;-)
then you wouldn't think it was the same person vasting way too much of
his time answering the same questions over and over again ;-)
The only things that will really irritate me is obvious FUD, HTML mails
and sending your httpd.conf directly to me hoping that will get you a
faster answer.... those who have tried should know by now that it doesn't
help much - at least nobody has tried it often enough to earn a place in
my procmail filter ;-)
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
