Ralph wrote:
> Charles B Cranston wrote:
>
>> > I'm trying to set up an Apache 2 based web server for multiple
>> > name based virtual hosts. As it is not possible with mod_ssl to
>> > have a seperate SSL certificate file for each virtual host...
>>
>> Actually, you can, but they have to have separate IP addresses.
>> (Requiring the server host to be multi-homed...)
>
> As I wrote, I was talking about multiple name based (!) virtual hosts,
> and the mod_ssl FAQ states that you can't have a seperate SSL cert file
> for each of them <http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47>. I
> know that multiple IP based virtual hosts are a different matter, but
> unfortunately I only have on IP address available for the host in
> question.
>
> What I am trying to achieve is that this single host uses one cert which
> includes multiple CNs, so that given the following DNS entries
>
> www.domain1.org. IN A 123.234.123.234
> www.domain2.net. IN A 123.234.123.234
> www.domain3.com. IN A 123.234.123.234
>
> users can access the server via
>
> https://www.domain1.org/
> https://www.domain2.net/
> https://www.domain3.com/
>
> without a warning about the URL host name not matching the certificate
> common name. I know that with mod_ssl all three URLs will result in the
> same web page to be displayed, but that is acceptable in this special
> case where a couple of domains are to mapped to one single web site.
You may notice that this is not really a desired
configuration. What you actually are trying to
do is to cheat the user: When I connect to a
server named "www.domain1.org", then I want a
confirmation that I really accessed this server.
What you are doing is sending a confirmation for
"you are connected to one of these servers:
www.domain1.org, www.domain2.net, www.domain3.com".
This may be ok if these were "www.domain1.com",
"ssl.domain1.com" and so on (which sometimes is solved
by wildcard certificates), but if the domains are
visually independent from each other, then I would
not want my browser to accept the certificate.
<NIT>
What would you say, if you wanted to do some
onlinebanking on "www.yourbank.com", and got
a certificate for "www.yourbank.com",
"www.softporn.com" and "www.spamcompany.com"?
I would want my browser to tell me... ;-)
</NIT>
Just my 2 cents,
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Consultant, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
