On 4/14/08, Sir June <[EMAIL PROTECTED]> wrote: > > > thanks for the info about CN=*.mydomain.com > > what if my server has other domains as well that will use SSL certificates? > like www.companyA.com and www.companyB.com? and my server's hostname > still is linux1.mydomain.com.
you have to understand how ssl and apache's virtual hosting work... ssl is between application layer and transport layer of the OSI layering model... http is on the application layer.. http uses tcp that is on the transport layer.. but before it reaches the transport layer it must pass first on the network layer where the IP address resides.. http is http over ssl... http by default listens on tcp port 80 while https on tcp port 443.. for https transaction between the client and the server.. before it reaches the application layer which is the http server... the client initiates a handshake first with the secure socket layer to obtain a session key for secure communication.. to obtain a session key.. the two passes information... that is where the server send its certicate where expiration date, common name for that actual server name and others are in there for the client to warn the user if it has an invalid date, invalid common name etc... your problem last time is that your CN is www.ourdomain.com where the final destination of your https server is linuxN.ourdomain.com which invalidate its certificate... once the session key obtained.. then thats the time for a normal http transaction begins over a secured channel... for virtual hosting... there are two kinds of virtual hosting: name-based and ip-based virtual hosting... named-based depends on the "host" http header to determined which virtual host to serve... for different https or ssl certifcates to serve as what you question above.. you cannot use name-based virtual hosting because apache cannot determine which host certificate to send as it didnt see the "host" http header during the handshake as what i explain above... apache just send the certificate that is first declared in your virtual host configuration file as its default certificate.. in order for different ssl certificates to work.. you have to use the ip-based virtual hosting.. therefore you need lots of unique ip addresses for this... > Is the CN and server hostname mis-match pose a high security risk? yes.. the purpose of CN is to prevent the man-in-the-middle attack technique... fooler. _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
