Michael Grant wrote:
>
> I've been playing around with the apache and our virtual hosts. I am
> well aware that I could have different certs for each IP address if I
> were using IP based virtual hosting but I'm using name based virtual
> hosts.
>
> I host a variety of domains which are not at all subdomains of my main
> domain. What I would like to do is have one cert for all my domains.
>
> I sort of have it working with name based virtual hosting, but in some
> cases, I get the following warning in Internet Explorer:
>
> "The name on the security certificate does not match the name of the
> site."
Indeed. There is a fundamental problem with using NBVHs with SSL - it
don't work, see:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2
YOu can get it "sort of" working if you don't mind that all your VHs
share the same certificate. What happens is:
- an https request for a session comes in on port 443 - that's all
apache gets. Since the session hasn't been established yet, there is no
Host header.
- with no host header, apache has no idea which VH to use (what can it
use to match the ServerName?).
- since apache doesn't know which VH to use, it can't decide which
certificate to send.
- to get out of the loop, apache just selects the first VH on port 443
and send its certificate.
- probably the cert is for a different site so the browser pops a
warning. If the user clicks OK, the browser establishes a session-key,
encrypts its request (this time containing a host header) and sends it
off.
- the server decrypts the request and now finds the Host header.
- Now apache can decide which VH to use and so serves the correct
content.
But you can't get by the warning because the default cert doesn't match
the requested site.
The only possible non-general "solution" is if the sites are like
www1.acme.com, www2.acme.com and so on. Then you can get a wildcard cert
which is valid for *.acme.com. Even then though, the behaviour is
browser dependent. Before you ask, there is no such thing as a
super-wildcard *.*.com cert...
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
