Re: [AOLSERVER] single AOLserver instance serving up 2 certificates based on hostname
Scott Goodwin wrote: > Set up your NIC adaptor with two separate IPs. Then one nsopenssl module > can listen on 192.168.10.10:443 and the other on 192.168.10.11:443. > One AOLserver process can run two nsopenssl modules at the same time, you > just have to make the second one have a different name, as you said, both > in the nsd.tcl file and in the /bin dir. I have our second one called > nsopenssl2 in nsd.tcl and I've created a hardlink from /bin/nsopenssl > to /bin/nsopenssl2. Peter M. Jansson wrote: > You will need to use 2 separate IP addresses, because HTTP over SSL > establishes the connection, exchanges certificates, and then starts the > HTTP stuff -- this means that the name for the IP must match the > certificate, and you don't yet know the virtual host being served. This > is a problem for all HTTP servers at this time. Thanks, Scott, Peter! I ended up setting up two IPs as you both suggested, and having a single AOLserver instance listening on two different nssock (ie, enabling port 80 on both servernames) and two different nsssle modules (ie, enabling port 443 on both servernames), with separate module names and separate copies of the binaries, as Scott mentioned. This worked perfectly. Thanks again, Nuno
Re: [AOLSERVER] single AOLserver instance serving up 2 certificates based on hostname
Hi Nuno, > go about it? My current idea was to have AOLserver listen on two distinct > IPs (one for each domainname) and have two nsssl sections configured, one > for each IP, but I'm not sure if this will work. This is the only way I know of that it will work. Since the SSL conn must be set up before *any* data crosses the gap, the server/SSL module cannot know beforehand which site the user wants to see, so it has no way to choose the "correct" SSL certificate to use based on the URL. So you cannot have two sites served by the same IP/port combination. Set up your NIC adaptor with two separate IPs. Then one nsopenssl module can listen on 192.168.10.10:443 and the other on 192.168.10.11:443. This is how we did it here with Linux 2.2.x (IPAlias must be installed in the kernel): ifconfig eth0:0 192.168.10.10 route add -host 192.168.10.10 dev eth0:0 Note the ':0' after 'eth0' in both cases; this tells Linux that it's a second IP address. You could put a third on with 'eth0:1'. We didn't run this way for long, it was a test, so you may run into routing or other network-related issues. Surely, it can't be this simple, right? One AOLserver process can run two nsopenssl modules at the same time, you just have to make the second one have a different name, as you said, both in the nsd.tcl file and in the /bin dir. I have our second one called nsopenssl2 in nsd.tcl and I've created a hardlink from /bin/nsopenssl to /bin/nsopenssl2. Hope that helps, /s.
Re: [AOLSERVER] single AOLserver instance serving up 2 certificates based on hostname
You will need to use 2 separate IP addresses, because HTTP over SSL establishes the connection, exchanges certificates, and then starts the HTTP stuff -- this means that the name for the IP must match the certificate, and you don't yet know the virtual host being served. This is a problem for all HTTP servers at this time. Using two instances of AOLserver, each bound to a separate IP address, and each with its own certificate will work. You won't be able to reverse proxy into these two instances, though, for the same reason. Pete.
[AOLSERVER] single AOLserver instance serving up 2 certificates based on hostname
I need to setup a single AOLserver instance that serves up two different servernames (say, abc.com and xyz.com) from the same pageroot and, using nsssl/nsssle/nsopenssl, correctly produces the appropriate certificate based on the servername of the incoming https requests (that is, it should serve the certificate for abc.com when a request for https://abc.com comes in, and serve a different certificate for xyz.com when a request for that servername comes in). This is to avoid the "security warning" that most browsers will popup when they receive a certificate that doesn't match the domainname of the server being visited, which happens if I use the abc.com certificate for both servernames. Has anyone setup a similar configuration and, if so, what's the best way to go about it? My current idea was to have AOLserver listen on two distinct IPs (one for each domainname) and have two nsssl sections configured, one for each IP, but I'm not sure if this will work. Thanks in advance, Nuno Santos
