Re: Roxen and SSL

Tue, 20 Jan 2009 11:57:43 -0800

Use the SSL SAN extension (Subject Alternative Name): one SSL certificate for multiple 'common names'. Of course your (commercial) CA needs to support this. (eg http://www.verisign.com/ssl/buy-ssl-certificates/subject-alternative-name-certificates/index.html) 

this is why:
1) TCP/IP connection setup: SSL handshake using *THE* certificate
2) encrypted HTTP connection setup: contains HTTP 1.1 'HOST' header for virtual hosting 
...
The data that provides the virtual host functionality (from HTTP v1.1) is sent AFTER the encrypted connection is setup. So there is no ways any webserver can choose which certificate it should use on one TCP socket (IP+port combination), it can only use 1 for every connection to that socket. 

--Velpi


Bertrand LUPART wrote:

Hello,


I currently have 2 virtual servers in Roxen. Both using SSL.
https://www.foo.com and
https://www.example.com.

Now I've created a SSL key file, and did a signing
request for www.foo.com, which works excellent.

Then I've created a signing request for www.example.com, and
added the certificate to the (I don't get why) global list
under ports. 
So now I see a list with certificates,
one for www.example.com and one for www.foo.com. The problem now
is, that roxen always chooses the top one certificate. So if I connect to either virtual, the top one is chosen which 
causes the client in one of both virtual servers to
warn about not being the right certificate.

Now It may be just me, but why is even the ssl-keyfile global,
and not seperate for each virtual server?

And in short term, how can I use different certificates for different
virtual servers?


We had a similar discussion on the Caudium mailing list and currently
trying to solve the same problem:

<http://thread.gmane.org/gmane.comp.web.server.caudium.devel/524/focus=5
52>
(when the subject changes to "HTTPS virtual hosts")

Let us know what works/doesn't work for you.




--
/---------------------------------------------
| Jan "Velpi" Van der Velpen
| [email protected] || +32 (0) 498 61 24 89
\---------------------------------------------

Reply via email to