Re: Can't have SSL with multiple domain names on a single server...

[Lutz Jaenicke]

On Mon, Feb 21, 2000 at 10:52:02AM +0100, Nicolas Roumiantzeff wrote:
> I was thinking of a simple site architecture that might apply to a wide
> range of web sites:
> 
> - the first page is plain HTTP,
> - it contains links to HTTPS URL specifying the IP address,
> - the SSL server can assume that the client is using the IP address as the
> server name.
> 
> Note: it works with CNAME's multi-homed servers.

Hmm,

I don't think that this would be a good thing.
The usage of the HTTPS protocol serves two purposes (not listed by priority):
1. protection of the data transfer by encryption;
2. authentication of the peers (but at least of the server if no client
   certificate is used).

Your approach to access a HTTP page first breaks purpose 2, since you must
use an unreliable source. The HTTP page is not loaded from an authenticated
server, hence it might have been changed during transported and the HTTPS
link might have been altered to point to another link!!
This is the same problem we have with the CNAME approach, since you have
to call the DNS as an unreliable source in between.

This is why several protocols like RFC2595 explicitely state that the server
certificate must match the hostname used for the contact, not any CNAME or
whatever (Section 2.4. Server Identity Check).

This is a fundamental problem with the HTTPS protocol as is (should we
call it a flaw?). Work is being done to establish an extended protocol
(draft-ietf-tls-http-upgrade-05.txt) to realize a _clean_ solution for
the problem.
Another option might be the use of dNSName fields in the SubjectAlternateName
extension. I however don't know whether this is implemented in current
browsers. I had no time to try it, yet, and as of now its realization
seems to be quite uncomfortable with OpenSSL since the openssl.cnf file
must be changed according to the certificate you want to generate. One
can have more than one dNSName field, but then the cnf file must have the
number of dNSName fields reserved!?

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]