Re: Multiple Certificates, 1 Web Server

Mon, 13 Mar 2006 07:55:31 -0800 

[EMAIL PROTECTED] wrote:

On 3/13/06 8:43 AM, openssl-users@openssl.org wrote to All:


On Mon, 2006-03-13 at 08:35 -0500, [EMAIL PROTECTED] wrote:

So for one group, they will give them a HTTPS URL for domainX, and for
another group, they will give them another HTTP URL for DomainY,  but
they will be hitting the same IP server.

sounds like a virtual domain.  If you have 2 domains hitting the same
web server is that not virtual hosting?


I would think so. But they are using the same IP address.
Yes, that's probably the most common type of virtual host. Virtual hosts come in various flavors. Think of it this way:
If a web server can only serve resources for a single entity by binding to a single IP:PORT, it does not support virtual hosts.
If a web server can serve resources for multiple entities by binding to a separate IP:PORT for each entity, it supports IP-based virtual hosts.
If a web server can serve resources for multiple entities on a single IP:PORT by varying the resources served based on the HTTP Host: header, it supports name-based virtual hosts.
An entity is usually a host (www.example.com, www.example.net) but can also be an IP address (192.168.1.2) or something else altogether (you can pass any string in the Host: header, for example). It depends on the context. 

Apache supports both IP- and name-based virtual hosts.


Our web server, per IP,  is only reading 1 CRT and 1 KEY file that was
created for the single common name; domain used by the customer when he got
the certificate.


That is a current limitation of SSL, one key/cert (or CN) per IP:PORT.


They have 1 web server setup.  According to them, they had multiple domains
going to the same IP NON-SSL web side.   This is purely based on having
multiple A records to the same IP address.   But now when they turned on
SSL, with one certificate, they are running into browser "domain mismatch"
conflicts. So I was asked how to resolve this.
You can't, until some kind of name-based SSL handshake is implemented, or until CAs and clients support multiple domains in a certificate. 


If they get multiple certificates, one per common name, but each going to
the same IP,  my web server is not seeing the difference.
Currently, the simplest solution is to use a separate IP for each SSL host (CN). 


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to