Hi,
It would be really nice to take advantage of Apache's multiple virtual
domain capability in conjunction with SSL and have a certificate that
didn't cause a 'Certificate Name Check' dialog to pop up on every
connection for domains other than the one in the certificate.
This doesn't appear to be possible.
To be more precise, if a machine has multiple DNS entries
and responds at all three of:
fred.company.com
george.company.com
10.10.0.1
You can put any one of these in the distinguished name
field of the certificate and accesses to that domain will not
come up with the 'Certificate Name Check' dialog, but accesses
to the other two valid addresses will.
The problem is that the SSL certificate handshake happens
before Apache sees the domain and therefore Apache is out
of the picture in terms of responding with one of an array of
certificates. Also, you don't seem to be able to bind an array
of server names to a single certificate (not that that would be
a teriffic solution in any case).
Anyone have a solution to this? Think there will be one?
If the server name or URL came across from the client at the beginning
of the SSL handshake, the server end of SSL could look
up a certificate based on the URL being presented and respond
with the appropriate server certificate if it has one available.
I don't think the server name or URL comes across though.
Presumably the fall back is to occupy a bag full of separate IP
addresses simultaneously. One per domain name.
- Rod
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
