The feature of having multiple certificates served on the same ip/port is Server Name Indication (SNI) and the nsopenssl driver does not support it. As you said, getting that to work would require some rewiring.
However, I think the certificate described by Thorpe was a single certificate that is valid for multiple domains - Service Alternate Name (SAN), somewhat similar to a wildcard cert. Since it's just one certificate, it doesn't need multiple different ips/ports. The downside of a SAN cert is that if any of the hosts changes, the whole cert needs to be reissued, versus with SNI each host has its own cert. So since it's just one certificate, I think that also means it doesn't need multiple contexts to be set up. Just set up the single context with the SAN certificate, and set up the virtual servers as you would for a non-ssl setup. -J Scott Goodwin wrote: > Im fairly certain that you cant have multiple listeners on the same IP > address and port number on a NIC simultaneously, even if theyre all > binding from the same process. All three of the virtual servers below > are configured to use the same IP address and port number, and the first > nsopenssl instance to bind to it, owns it. The rest get EPERM from the > operating system. I think the way multiple SSL certificates are bound to > a single IP address and port: the server listens on the IP and port, and > looks at the Host header of the incoming connection to determine which > SSL certificate to use for that particular connection. I dont think > AOLserver has the ability to do this today. The other way to do it is to > create three distinct IP addresses on your NIC and use one for each SSL > instance. There may be other ways to make this work, but any of them > will probably require rewiring AOLserver and nsopenssl. > ------------------------------------------------------------------------------ _______________________________________________ aolserver-talk mailing list aolserver-talk@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/aolserver-talk
