"KR" == Kurt Roeckx writes: KR> As I understand it, it will not do the renegotation if you do it KR> for the whole virtual host.
>> but wouldn't it cause prompts for certificate for the whole virtual >> host? i'd like to protect (with certificate validation) only part of >> the site, e.g. the admin interface, leaving the rest of the site for >> general users. i.e. the requirement to put the certificate >> validation for the whole virtual host requires creating a separate >> website with a dedicated IP address, which is not always desirable. KR> I'm not sure a new IP address is required for it. with the ordinary SSL there's indeed a problem with serving multiple name-based SSL hosts on the same IP (and port). (Because the SSL handshake takes place before the expected hostname is sent to the server, the server doesn't know which certificate to present when the connection is made. So the hosts will have to share the same SSL certificate, which in general requires to serve them on separate IPs or ports, to avoid certificate mismatch warning from browser.) but it appears that there's some new extension to TLS, called SNI, which should allow to work around this problem: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI anyway, there's still at least the inconvenience to separate the client-certificate-protected area into the separate virtual host (and thus modify DNS), but at least, it seems, there's no need to serve it from a different IP. Best, v. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org