Ian G wrote: > Guys, > > I'm trying to set up an Apache server to share SSL sites > and certificates. So far with not much luck. Following > Nelson's earlier description, I've turned off SSL v2 in all > the browsers I've tested with (Firefox and Konqueror), > and also I've turned it off in the Apache web server > (Apache 2 on Linux). > > But the Apache web server still insists on presenting only > one certificate (even though it has accepted the various > other SSL sites in the vhosts config). Why that is is another > story, but there is one furfie I noticed with Firefox in this: > read the apache documentation ;) it tells you the reason in detail why the apache always delivers only one cert...
the point is - the ssl connection gets setup first, therefore you need the certificate(s) but the virtual domain gets determined after this setup of secured connection - so the apache can't know which domain you will access and therefore delivers always the first (or the last, not sure right now) certitificate to the client this is not a firefox problem, actually it is depending on the way how https or better ssl works; you can't really work around it except you have several ips for each https domain - then the apache knows per ip which certitificate to use there is a second option: issue one special certificate which contains all the fqdns in the subject alternative field - like the rfc (number not in mind) describes it usaly all client must check this first before going to subject field in certs - but reality is different ;( this is the ONLY way you can use one ip with one ssl-certificate and several fqdns hosted and still be valid at several clients but like stated above not all clients (webbrowser) behave standardconformant in this issue - so it may not work reliable greetings dalini _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
