On Wed, Dec 22, 2010 at 7:53 AM, S Mathias <smathias1...@yahoo.com> wrote:
> http://help.godaddy.com/article/1054 > > "# Set up SSL protection on your website." > > is it an inescapable requirement to have a dedicated [not fix] ip address, > when i want to use ssl on my domain? > Not exactly, but you must weigh the cost vs. merit here. When you are looking for ways to serve multiple HTTPS (SSL protected) websites from a single IP address, the magic term you're looking for is SNI (Server Name Indication). The second alternative (with restrictions) is using a wildcard certificate or certificate with multiple subjectAltName entries. SNI: See also: http://en.wikipedia.org/wiki/Server_Name_Indication https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf(note: info as per 2007 A.D. so may be a bit oldish in a few spots, but is, IMO, a very good mix of technological depth and breath of overview when investigating this issue) also of interest is http://www.c0t0d0s0.org/archives/6990-Server-Name-Indication-and-the-problem-with-Windows.html as he points at recent client statistics (as per November/2010) and for SNI to 'work' you need support on both web browser (client) and server side. If you can 'enforce' a limited set of browser versions accessing those sites/pages (which is an option in sites not targeting the 'general public' but, say, only your employees) or when you are willing to 'loose' those visitors with a non-compatible browser (also consider disabled people here! They often have special browsers adapted to their need and those browsers aren't always up to snuff with the bleeding edge of internet technology), then you can go this route. SNI test site: https://sni.velox.ch/ The alternative is buying extra IP numbers, one per site, for your VPS/dedicated server(s): one IP per HTTPS-served domain - for 'we don't want to exclude anyone from visiting us' sites, I find the small annual fee for one or more extra IPs is much cheaper then spending the time (= effort = money, also when you are on a salary instead of hourly charge!) to set up SNI and ensure no-one in your entire target audience will run into trouble visiting your site. (that includes software development, maintenance and support calls cost, lump sum) Yep, that's a abhorrently conservative stance; strongly advised from banks and such; for special interest sites SNI might be the better choice as it's helping to save our Internet ecology in a small way (by reducing IP address consumption) ;-) . Wildcard certificate: When using the alternative method of multiple subdomains with a wildcard certificate, also consider browser compatibility again (and that means we're in the same boat as when going SNI, details will differ, but the cost/benefit evaluation implies you'll have to look at all the details again for this one): http://wiki.cacert.org/WildcardCertificates http://www.geocerts.com/ssl/browsers (note the note about mobile devices! Also consider browsers for disabled people.) multiple subjectAltName entries As above. Works with a subset of existing browsers. If you want to see a interoperability test chart for all these (for several of the major browser brands) and more technical info on each subject, see: http://wiki.cacert.org/VhostTaskForce -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 --------------------------------------------------
