Re: Can't have SSL with multiple domain names on a single server...

Mon, 21 Feb 2000 00:39:57 -0800 

There is also a problem when the connection passes throuh proxies and/od
socks servers (except for the one declared in the browser).
Is the IP address checking realy important?

Nicolas Roumiantzeff.

-----Message d'origine-----
De : Ben Laurie <[EMAIL PROTECTED]>
� : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : vendredi 18 f�vrier 2000 14:18
Objet : Re: Can't have SSL with multiple domain names on a single server...


>Rod Gilchrist wrote:
>>
>> Hi,
>>
>> It would be really nice to take advantage of Apache's multiple virtual
>> domain capability in conjunction with SSL and have a certificate that
>> didn't cause a 'Certificate Name Check' dialog to pop up on every
>> connection for domains other than the one in the certificate.
>>
>> This doesn't appear to be possible.
>>
>> To be more precise, if a machine has multiple DNS entries
>> and responds at all three of:
>>
>>    fred.company.com
>>    george.company.com
>>    10.10.0.1
>>
>> You can put any one of these in the distinguished name
>> field of the certificate and accesses to that domain will not
>> come up with the 'Certificate Name Check' dialog, but accesses
>> to the other two valid addresses will.
>>
>> The problem is that the SSL certificate handshake happens
>> before Apache sees the domain and therefore Apache is out
>> of the picture in terms of responding with one of an array of
>> certificates. Also, you don't seem to be able to bind an array
>> of server names to a single certificate (not that that would be
>> a teriffic solution in any case).
>>
>> Anyone have a solution to this? Think there will be one?
>
>No. Its an inherent limitation of the SSL/TLS protocol.
>
>> If the server name or URL came across from the client at the beginning
>> of the SSL handshake, the server end of SSL could look
>> up a certificate based on the URL being presented and respond
>> with the appropriate server certificate if it has one available.
>> I don't think the server name or URL comes across though.
>>
>> Presumably the fall back is to occupy a bag full of separate IP
>> addresses simultaneously. One per domain name.
>
>Yes.
>
>Cheers,
>
>Ben.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to