Rod Gilchrist wrote:
>
> Hi,
>
> It would be really nice to take advantage of Apache's multiple virtual
> domain capability in conjunction with SSL and have a certificate that
> didn't cause a 'Certificate Name Check' dialog to pop up on every
> connection for domains other than the one in the certificate.
>
> This doesn't appear to be possible.
>
> To be more precise, if a machine has multiple DNS entries
> and responds at all three of:
>
> fred.company.com
> george.company.com
> 10.10.0.1
>
> You can put any one of these in the distinguished name
> field of the certificate and accesses to that domain will not
> come up with the 'Certificate Name Check' dialog, but accesses
> to the other two valid addresses will.
>
> The problem is that the SSL certificate handshake happens
> before Apache sees the domain and therefore Apache is out
> of the picture in terms of responding with one of an array of
> certificates. Also, you don't seem to be able to bind an array
> of server names to a single certificate (not that that would be
> a teriffic solution in any case).
>
> Anyone have a solution to this? Think there will be one?
No. Its an inherent limitation of the SSL/TLS protocol.
> If the server name or URL came across from the client at the beginning
> of the SSL handshake, the server end of SSL could look
> up a certificate based on the URL being presented and respond
> with the appropriate server certificate if it has one available.
> I don't think the server name or URL comes across though.
>
> Presumably the fall back is to occupy a bag full of separate IP
> addresses simultaneously. One per domain name.
Yes.
Cheers,
Ben.
--
SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm
http://www.apache-ssl.org/ben.html
Y19100 no-prize winner!
http://www.ntk.net/index.cgi?back=2000/now0121.txt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
