Thanks to all those who replied.
I did find this section in the manual, but wondered if the
workaround that had been mused in emails in May (methinks)
had come of age. I remember you and Ralf commenting about
M$ not playing ball.
I guess I shall for now work on a standard insecure rewrite/translator/proxy,
with an external (or possible internal) redirect to https when appropriate.
For now though, I have a good excuse to request more IP numbers
from BT.
Thanks.
-david
At 10:53 13/07/00 +0200, you wrote:
>On Thu, Jul 13, 2000 at 09:09:11AM +0100, David Leeson wrote:
>>
>> However I have a requirement for a single Apache/SSL server to
>> handle multiple domains with the same IP address. I have set up
>> the appropriate CNAMEs in DNS, but how can I split out different
>> domains going to the same web server/IP/port? And how can I set
>> up different certs for each domain.
>
>(This is answered in the FAQ... but I'll save you the RTFM this
>time: http://www.modssl.org/docs/2.6/ssl_faq.html#vhosts)
>
>Basically you can't do this - it will alway end up giving you
>browsers barfing about certificate common names not matching server
>server names. If you take a look at the drawing of an SSL session:
>http://www.modssl.org/docs/2.6/ssl_intro.html#ToC12
>Then you should think about that as all that has to take place
>before any of the HTTP headers can be sent... A very basic (Excess
>fluff removed) HTTP header from the client would look like this:
>
>Host: www.foo-bar.com
>GET /index.html HTTP/1.0
>
>Then the server will read the Host header and use it to determine
>which vhost to pass the request on to - but then you're in trouble
>because that is long after the server sent its certificate.
>A less than optimal solution could be to get a wildcard certificate
>(if anyone are still willing to sell them) which would give you
>a cert with *.foo-bar.com in the CN, which would match for any
>host in the foo-bar.com domain ... currently the trouble with that
>approach is that somewhere in the 5.x series of MSIE that suddenly
>became illegal for a couple of versions, but AFAIK M$ admitted that
>was a bug and has put it back in the latest SP's and new versions.
>
>[SNIP]
>>
>> If its an RTFM, mads, please tell me gently ;-)
>>
>Is that gentle enough for you?
>If you knew me (and the five pound LART I've got hanging on the wall ;-)
>then you wouldn't think it was the same person vasting way too much of
>his time answering the same questions over and over again ;-)
>The only things that will really irritate me is obvious FUD, HTML mails
>and sending your httpd.conf directly to me hoping that will get you a
>faster answer.... those who have tried should know by now that it doesn't
>help much - at least nobody has tried it often enough to earn a place in
>my procmail filter ;-)
>
>vh
>
>Mads Toftum
>--
>`Darn it, who spiked my coffee with water?!' - lwall
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
