Owen, I just followed this thread - thanks for that condensed 'how it works' for certificates - I picked up two things I did not know, and as they say knowledge is power :)
I am wondering at the last statement as to whether the limitation lies in the ability to produce a certificate that could verify all hosted domains, or whether Apache (or indeed any HTTPS server) could work with such a beast? Best Regards, Steve Leach Network Manager Mi-Int Limited Eaglescliffe Logistics Centre Durham Lane Egglescliffe URL: http://www.askalix.com TEL: 01642 356205 e-mail: [EMAIL PROTECTED] ----- Original Message ----- From: "Owen Boyle" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 06, 2002 3:53 PM Subject: Re: virtual hosting and ssl > Michael Grant wrote: > > > > I've been playing around with the apache and our virtual hosts. I am > > well aware that I could have different certs for each IP address if I > > were using IP based virtual hosting but I'm using name based virtual > > hosts. > > > > I host a variety of domains which are not at all subdomains of my main > > domain. What I would like to do is have one cert for all my domains. > > > > I sort of have it working with name based virtual hosting, but in some > > cases, I get the following warning in Internet Explorer: > > > > "The name on the security certificate does not match the name of the > > site." > > Indeed. There is a fundamental problem with using NBVHs with SSL - it > don't work, see: > > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 > http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2 > > YOu can get it "sort of" working if you don't mind that all your VHs > share the same certificate. What happens is: > > - an https request for a session comes in on port 443 - that's all > apache gets. Since the session hasn't been established yet, there is no > Host header. > - with no host header, apache has no idea which VH to use (what can it > use to match the ServerName?). > - since apache doesn't know which VH to use, it can't decide which > certificate to send. > - to get out of the loop, apache just selects the first VH on port 443 > and send its certificate. > - probably the cert is for a different site so the browser pops a > warning. If the user clicks OK, the browser establishes a session-key, > encrypts its request (this time containing a host header) and sends it > off. > - the server decrypts the request and now finds the Host header. > - Now apache can decide which VH to use and so serves the correct > content. > > But you can't get by the warning because the default cert doesn't match > the requested site. > > The only possible non-general "solution" is if the sites are like > www1.acme.com, www2.acme.com and so on. Then you can get a wildcard cert > which is valid for *.acme.com. Even then though, the behaviour is > browser dependent. Before you ask, there is no such thing as a > super-wildcard *.*.com cert... > > Rgds, > > Owen Boyle. > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
