Re: [CentOS] do i need a dedicated ip address for https?
certificate for each client, and reduces certificate administration to a SINGLE httpd.conf entry. (if your application is structured thusly) Can you then use only one single SSL port for all subdomains? I am using wildcard certificates as well, but I'm still allocating a separate port per subdomain that needs SSL. I would very much appreciate if you (or someone) could detail a bit how you combine multiple subdomains on a single SSL port. Thanks in advance! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On Thursday, December 23, 2010 07:10:36 am Ross Walker wrote: As long as the forward DNS resolves to the common name the cert will be accepted and you can have multiple host names resolve to the same IP. There's also the possibility that you can use multiple subdomains. Instead of https://foo.com https://bar.com You might use https://foo.yourdomain.com https://bar.yourdomain.com This involves the use of a wildcard subdomain certificate, which any/all of the major Certificate vendors provide. I've been doing this for hundreds of customers by domain name and it works with basically all clients all the time. (I've had ZERO issues from this) It's a tad more expensive than a normal SSL certificate, but it's dramatically cheaper than buying a separate SSL certificate for each client, and reduces certificate administration to a SINGLE httpd.conf entry. (if your application is structured thusly) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
Dne 23.12.2010 1:08, Les Mikesell napsal(a): The issue is that the server needs to know the hostname given to the browser to find the matching certificate, and the only way to do that and stay on the standard port 443 with the apache version on centos is to bind each virtual host to a different IP address. Per the apache ssl faq at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2, 2.2.12 or later supports SNI where the browser passes the hostname before the ssl session starts. Guys, Of course that it's possible to host multi-site on ONE ip. As Les has said, it's about SNI enabled web clients and servers. Not all clients support SNI. As to Apache, there's no need to go with 2.2.12. SNI is very easy to support with both Centos 4 and Centos 5. There's module mod_gnutls packed for Centos in one of my repo. Used in production for a few years now. http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/i386/repoview/ http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/x86_64/repoview/ http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/i386/repoview/ http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/x86_64/repoview/ Regards, David Hrbáč ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On Dec 23, 2010, at 3:03 AM, David Hrbáč hrbac.c...@seznam.cz wrote: Dne 23.12.2010 1:08, Les Mikesell napsal(a): The issue is that the server needs to know the hostname given to the browser to find the matching certificate, and the only way to do that and stay on the standard port 443 with the apache version on centos is to bind each virtual host to a different IP address. Per the apache ssl faq at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2, 2.2.12 or later supports SNI where the browser passes the hostname before the ssl session starts. Guys, Of course that it's possible to host multi-site on ONE ip. As Les has said, it's about SNI enabled web clients and servers. Not all clients support SNI. As to Apache, there's no need to go with 2.2.12. SNI is very easy to support with both Centos 4 and Centos 5. There's module mod_gnutls packed for Centos in one of my repo. Used in production for a few years now. http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/i386/repoview/ http://fs12.vsb.cz/hrb33/el5/hrb-tls/stable/x86_64/repoview/ http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/i386/repoview/ http://fs12.vsb.cz/hrb33/el4/hrb-tls/stable/x86_64/repoview/ As long as the forward DNS resolves to the common name the cert will be accepted and you can have multiple host names resolve to the same IP. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
2010/12/22 S Mathias smathias1...@yahoo.com: http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? delicated port (443) is needed per ssl host. you can also use wildcard certificates to host multiple ssl domains on same port. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
In article 133721.39495...@web121405.mail.ne1.yahoo.com, S Mathias smathias1...@yahoo.com wrote: http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? Not exactly. An SSL certificate is not tied to an IP address, but to a hostname. If you only have a single SSL site on the server, it doesn't matter what the IP address is, or even whether it is a dynamic address registered with a dunamic DNS provider. It will still work. The thing you CAN'T do is to have name-based virtual hosting with multiple domains on a single IP address, with more than one of them using SSL. Name-based virtual hosting relies on the HTTP Host: header to identify which virtual host is being accessed. But under SSL, the headers are not sent until the encrypted SSL channel has been set up. So the only way the server can know which certificate to use is by the IP address on which the request is recieved. So multiple SSL sites on a single box MUST each have their own IP address. Hope this helps! thank you happy Christmas! :) Happy Christmas to you too! Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On 22.12.2010 11:05, Tony Mountifield wrote: In article 133721.39495.qm-j4irtxk+zdtuqs8rmknbopow+3bf1jufvpnb7ypn...@public.gmane.org, S Mathias smathias1...@yahoo.com wrote: http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? Not exactly. An SSL certificate is not tied to an IP address, but to a hostname. If you only have a single SSL site on the server, it doesn't matter what the IP address is, or even whether it is a dynamic address registered with a dunamic DNS provider. It will still work. The thing you CAN'T do is to have name-based virtual hosting with multiple domains on a single IP address, with more than one of them using SSL. Name-based virtual hosting relies on the HTTP Host: header to identify which virtual host is being accessed. But under SSL, the headers are not sent until the encrypted SSL channel has been set up. So the only way the server can know which certificate to use is by the IP address on which the request is recieved. So multiple SSL sites on a single box MUST each have their own IP address. Very good explanation ! I just want to add that there is such a thing named Server Name Indication. With that the Virtual Host Name is sent at SSL Handshake time, so it is possible to use name based Virtual Hosts (No need for additional IP adresses). It needs Server and Client support, though. Apache in CentOS 5 does not support it as far as I know. http://en.wikipedia.org/wiki/Server_Name_Indication -- happy Christmas! Markus Falb signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On Tue, 2010-12-21 at 22:53 -0800, S Mathias wrote: http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? Yes. Reverse DNS has to be working. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On Wed, Dec 22, 2010 at 1:53 AM, S Mathias smathias1...@yahoo.com wrote: http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? thank you happy Christmas! :) It's the easiest way to do it. If you allow someone else to hold your SSL keys, they can do interesting things to act as your front end to register your hostname associated with a registered key, but that gets tricky. And there are other fancy tricks, but they get weird and painful. But let's be honest. Most SSL encryption is not done to authenticate a website as a signed, registered websites. Most of us at penny-wise workplaces have to hit Yes, I accept this unsigned key pop-ups all the time. SSL is often useful merely to encrypt the traffic end-to-end while clients accept such unsigned or incorrectly registered keys without concern. For that kind of use, dodging and weaving unregistered IP addresses are common place. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? Yes. Reverse DNS has to be working. Why is that? I have several ssl sites, and many of them don't have the proper ip - name resolution setup correctly... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On December 22, 2010 02:05:26 am Tony Mountifield wrote: The thing you CAN'T do is to have name-based virtual hosting with multiple domains on a single IP address, with more than one of them using SSL. Name-based virtual hosting relies on the HTTP Host: header to identify which virtual host is being accessed. But under SSL, the headers are not sent until the encrypted SSL channel has been set up. So the only way the server can know which certificate to use is by the IP address on which the request is recieved. So multiple SSL sites on a single box MUST each have their own IP address. Nowadays certificates can contain Subject Alternate Names and work for multiple domains. You can also get a wildcard addresses for *.yourdomain.com. Both mechanisms work fine for modern web browsers; maybe not so much for other SSL- oriented tools, though. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] do i need a dedicated ip address for https?
The question was: On Tue, 2010-12-21 at 22:53 -0800, S Mathias wrote: http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? and one reply asseted: On Wed, 22 Dec 2010, Adam Tauno Williams wrote: Yes. Reverse DNS has to be working. ehh? so what? It is perfectly possible to update PTR records dynamically, just as with CNAMEs or A records A CSR countersign by a CA is from information totally ignorant of the actual IP's in play [see the req_distinguished_name stanza of such requests as to the information needed, below] -- indeed, such IPs need not even be allocated, nor the host live, before a key file is generated, a CSR submitted to a CA and countersigned, and a PEM returned by the CA to the requestor Managing DNS, and placement of a PEM, key and chain into the hosts providing a SSL accessible website (mailserver, etc) are totally disjunct from the specific IP's a host is at for a given time [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Ohio localityName= Locality Name (eg, city) localityName_default= Columbus 0.organizationName = Organization Name (eg, company) 0.organizationName_default = 781 Resolution, LLC organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress= Email Address emailAddress_max= 63 emailAddress_default= doma...@781resolution.com The 'commonName' field here is usually the FQDN, and may be an A record or a CNAME; validations are optionally done by a remote host querying the PTR record values to make sure there is a name match in the array returned [a PTR is usually unique and one to an IP, but I am not specifically aware of a formal RFC requirement of only one PTR record per IP, having looked again for such writing some code on DNS content validation for an interface that builds zone files in the last few months] -- Russ herrold ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On 22/12/10 11:52 PM, Nico Kadel-Garcia wrote: It's the easiest way to do it. If you allow someone else to hold your SSL keys, they can do interesting things to act as your front end to Where in the original post did it mention using a system that's not under their control? The question was about a static IP address, not the system the keys and certificates would be installed on. register your hostname associated with a registered key, but that gets tricky. And there are other fancy tricks, but they get weird and painful. Yes, it also depends on how much effort they're willing to go to and whether or not they care if a visitor notices. But let's be honest. Most SSL encryption is not done to authenticate a website as a signed, registered websites. Most of us at penny-wise workplaces have to hit Yes, I accept this unsigned key pop-ups all the time. SSL is often useful merely to encrypt the traffic end-to-end while clients accept such unsigned or incorrectly registered keys without concern. For that kind of use, dodging and weaving unregistered IP addresses are common place. That's what my self-signed site is for, but then I live in a country that is still debating mandatory Internet censorship. Most people wanting SSL on their website see it as a business requirement and most of those sites are running on shared or VPS hosting. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
On 12/22/2010 5:40 PM, Ben McGinnes wrote: Most people wanting SSL on their website see it as a business requirement and most of those sites are running on shared or VPS hosting. The issue is that the server needs to know the hostname given to the browser to find the matching certificate, and the only way to do that and stay on the standard port 443 with the apache version on centos is to bind each virtual host to a different IP address. Per the apache ssl faq at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2, 2.2.12 or later supports SNI where the browser passes the hostname before the ssl session starts. -- Les Mikesell lesmieks...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] do i need a dedicated ip address for https?
http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? thank you happy Christmas! :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] do i need a dedicated ip address for https?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/22/2010 12:53 AM, S Mathias wrote: http://help.godaddy.com/article/1054 # Set up SSL protection on your website. is it an inescapable requirement to have a dedicated [not fix] ip address, when i want to use ssl on my domain? thank you happy Christmas! :) Yes it is -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJNEaR9AAoJEPXCUD/44PWqFhAP/33q9sCa7q4a594qSJBPkv8A Twf+AkHc0H6siFikhAgi9RhpXDQXaAHusepf3s1UgD9lUGjOU1xtjiGFlbsTGE8T KDDb7fHSqzrEaE0HND8QBBXsccMbiYSozTXE5VT8QRz9G8wlCMA1+HLCEwUvGF9u 5x9WbzusMjlsTaHHOadOU55xcbBuNlNMq6V5jmbvdouriVfDg95xiwFEb3k+HVo8 fZAgodU8vuvVax9ycHgfbGLYC8ueJw/RW5H94OVh5465EY9ObVBHFSd01B7qlZrO TQxI/gtKcZTj8TYPn9mBRmzyIenhy6joU+ZBawff4P+1RLtAjxJHbYbpRa/r4Wmh HqoJNKi0TpJ4l+t04an5I1RWHOlA6JT+GGDOnOGNbgfmFwG3/h2Bh3QeILPOZBzV qznFA9JLaHl6ZitWffqav2XxzQaxzElWdJftt71YAGLe+6h+WA/HCtFots/O6GY2 9F9k7Lv+cy/a44qnQOu7fKJsihHT/uzKrSMn+c3209JJVFrBvFg0ow6lpfK2rbLj O79jsbZ4IbtlQQKhiSqXz1gj26xd2X9Qfw5ePOj+DuOjgqgIy8q9IBiuvnL8zXik MvedQTXtwHIy3UBI/tCfKQ6itJGUMhIoEWqrO7yP6KYf1NSqWvDxGLLar26Lfp93 W6B3tUG4tdNN3ahY09Pu =56E3 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
