> if you have two servers behind a load-balancer, you have to make sure > that once a client starts an HTTPS conversation with one server, all > subsequent requests are served by the same server.
True. AFAIK there are no versions of MSIE that correctly support the keepalive setting, to unless you are willing to put up with the mysterious-1-page-in-5-is-just-blank problem you have to turn keepalive off, and every request gets renegotiated. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Owen Boyle Sent: 10 May 2002 09:02 To: [EMAIL PROTECTED] Subject: Re: Certificates and Apache/modssl Greg Jones wrote: > > All- > > We are planning on using commercial load balancing software for two servers > running apache with modssl. Does Apache with modssl require that each server > have its own certificate or can I use the same certificate on both servers > since they'll be answering to the same virtual ip? Also, will my certificate > be based on the virtual ip or the ip of the server. Users will always get to > the web servers via virtual IP. The certificate is assigned to a fully-qualified domain name, not to an IP address. The idea is that when the browser goes to www.acme.com, it expects to see a certificate containing "www.acme.com" - thus proving that the site is really www.acme.com. This is authentication which is the second but equally important aspect of SSL that everyone forgets about... (the first aspect is encryption). Therefore, as long as both your servers are serving the same site, they can have the same certificate (indeed, they *should* have the same cert). There is one other problem, however. Remember that the public-key/private-key encryption is used only to negotiate the session-key. Once that has been established, the client and server communicate using the session-key and the certificate is forgotten. Now, if you have two servers behind a load-balancer, you have to make sure that once a client starts an HTTPS conversation with one server, all subsequent requests are served by the same server. In other words, if the session-key negotiation takes place on one server but the next request comes in to the second server, it will be encrypted with a key known only to the first server. I guess the solution would be to ensure requests are split on a client basis rather than request basis in the load balancer. Rgds, Owen Boyle ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
