On Wed, Sep 12, 2007, Bill Janssen wrote: > >>> By the way, I think the hostname matching provisions of 2818 (which >>> is, after all, only an informational RFC, not a standard) are poorly >>> thought out. Many machines have more hostnames than you can shake a >>> stick at, and often provide certs with the wrong hostname in them >>> (usually because they have no way to determine what the *right* >>> hostname is, from inside that machine). >> >> ...which is why you pretty much need to have a canonical hostname mapped >> to each IP you're using on a machine. Basically, you need to map the >> hostname you intend to use to an IP, then do reverse-DNS to find out >> whether the hostname is in fact the canonical hostname. If not, you're >> using the wrong hostname on your cert. > > Yep. The problem is having a particular service know which > certificate it should choose to use, and also to know when the network > connectivity has changed. Usually, server ports are bound to wildcard > IP addresses, so that they can still be reached even if the network > connectivity changes (particularly true for servers running on > laptops, or the Python server I'm running on my iPhone). The server > has no way of knowing which IP address the client knows it as, and no > way of knowing which of its multiple certificates to present, so that > the name in the cert will match the name the client thought it was > using.
My understanding is that the client tells the server which hostname it wants to use; the server should then pass down that information. That's how virtual hosting works in the first place. The only difference with SSL is that the hostname must have a unique IP address, so that when the client does a reverse DNS to validate the IP address presented by the SSL certificate, it all comes together correctly. There are, of course, wildcard certs; I don't understand how those work. -- Aahz ([EMAIL PROTECTED]) <*> http://www.pythoncraft.com/ "Many customs in this life persist because they ease friction and promote productivity as a result of universal agreement, and whether they are precisely the optimal choices is much less important." --Henry Spencer http://www.lysator.liu.se/c/ten-commandments.html _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
