Re: name based virtual host and apache-ssl - thanx
seph wrote: >> I've checked the wildcard in the server name and it seem to work on >> win2k and above, so I guess I'll stick to that. > > It may have changed, but when I looked into this several years ago, > win2k didn't support star certs. well, I checked with updated version (all the service packs and security updates) and it was ok. in any case I'm not going to spend so much money. > > seph Bye -- Haim
Re: name based virtual host and apache-ssl - thanx
> I've checked the wildcard in the server name and it seem to work on > win2k and above, so I guess I'll stick to that. It may have changed, but when I looked into this several years ago, win2k didn't support star certs. seph
Re: name based virtual host and apache-ssl - thanx
seph wrote: >> I've checked the wildcard in the server name and it seem to work on >> win2k and above, so I guess I'll stick to that. > > It may have changed, but when I looked into this several years ago, > win2k didn't support star certs. well, I checked with updated version (all the service packs and security updates) and it was ok. in any case I'm not going to spend so much money. > > seph Bye -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
> I've checked the wildcard in the server name and it seem to work on > win2k and above, so I guess I'll stick to that. It may have changed, but when I looked into this several years ago, win2k didn't support star certs. seph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
Adrian 'Dagurashibanipal' von Bidder wrote: > On Thursday 25 March 2004 10.12, Haim Ashkenazi wrote: >> [...] decided to buy certificate from >> versign [...] > > [ok, this goes offtopic.sorry.] > > You sure about that? Verisign is the company who break DNS (yes, the world > wide DNS. Not just their servers. Well, it *was* their servers, but that's > exactly the problem) in some respect to increase their profit (search some > tech news site for wildcard dns record), were forced to undo that, and > announced they would do it again in the near future. Verisign is the > company who sold a certificate for microsoft.com to some joe random - so I > guess somebody might do the same for your site.. Verisign is the company > who routinely spams people who try to change their domain name > registration to a different provider, or who have done so in the past. > > [I think their 'separating out' the registry business and all this is a > technicality. It's still the same]. > > No, I won't name any other company here, and I'm not afiliated to any > company selling certificates. well I didn't know that, but after seeing how much they're charging (900$ a year) we decided not to buy. I've checked the wildcard in the server name and it seem to work on win2k and above, so I guess I'll stick to that. > > cheers > -- vbi > thanx -- Haim
Re: name based virtual host and apache-ssl - thanx
On Thursday 25 March 2004 10.12, Haim Ashkenazi wrote: > [...] decided to buy certificate from > versign [...] [ok, this goes offtopic.sorry.] You sure about that? Verisign is the company who break DNS (yes, the world wide DNS. Not just their servers. Well, it *was* their servers, but that's exactly the problem) in some respect to increase their profit (search some tech news site for wildcard dns record), were forced to undo that, and announced they would do it again in the near future. Verisign is the company who sold a certificate for microsoft.com to some joe random - so I guess somebody might do the same for your site.. Verisign is the company who routinely spams people who try to change their domain name registration to a different provider, or who have done so in the past. [I think their 'separating out' the registry business and all this is a technicality. It's still the same]. No, I won't name any other company here, and I'm not afiliated to any company selling certificates. cheers -- vbi -- There are never enough hours in a day, but always too many days before Saturday. pgpA4ZCxDMSoj.pgp Description: signature
Re: name based virtual host and apache-ssl - thanx
Adrian 'Dagurashibanipal' von Bidder wrote: > On Thursday 25 March 2004 10.12, Haim Ashkenazi wrote: >> [...] decided to buy certificate from >> versign [...] > > [ok, this goes offtopic.sorry.] > > You sure about that? Verisign is the company who break DNS (yes, the world > wide DNS. Not just their servers. Well, it *was* their servers, but that's > exactly the problem) in some respect to increase their profit (search some > tech news site for wildcard dns record), were forced to undo that, and > announced they would do it again in the near future. Verisign is the > company who sold a certificate for microsoft.com to some joe random - so I > guess somebody might do the same for your site.. Verisign is the company > who routinely spams people who try to change their domain name > registration to a different provider, or who have done so in the past. > > [I think their 'separating out' the registry business and all this is a > technicality. It's still the same]. > > No, I won't name any other company here, and I'm not afiliated to any > company selling certificates. well I didn't know that, but after seeing how much they're charging (900$ a year) we decided not to buy. I've checked the wildcard in the server name and it seem to work on win2k and above, so I guess I'll stick to that. > > cheers > -- vbi > thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
On Thursday 25 March 2004 10.12, Haim Ashkenazi wrote: > [...] decided to buy certificate from > versign [...] [ok, this goes offtopic.sorry.] You sure about that? Verisign is the company who break DNS (yes, the world wide DNS. Not just their servers. Well, it *was* their servers, but that's exactly the problem) in some respect to increase their profit (search some tech news site for wildcard dns record), were forced to undo that, and announced they would do it again in the near future. Verisign is the company who sold a certificate for microsoft.com to some joe random - so I guess somebody might do the same for your site.. Verisign is the company who routinely spams people who try to change their domain name registration to a different provider, or who have done so in the past. [I think their 'separating out' the registry business and all this is a technicality. It's still the same]. No, I won't name any other company here, and I'm not afiliated to any company selling certificates. cheers -- vbi -- There are never enough hours in a day, but always too many days before Saturday. pgp0.pgp Description: signature
Re: name based virtual host and apache-ssl - thanx
Haim Ashkenazi wrote: Michael Stone wrote: On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote: Well, actually there is a solution: use wild cards in the name of the keys. You can make the certificate for *.mycompany.com for several web sites within mycompany.com, That's probably not particularly useful for a virtual hosting service (presumably, customers would like their own name, otherwise they could just have ~whatever). or you can go so far as to use * for any host name. Getting that signed by a useful registrar would be a trick. but does all the IE versions (let's say since version 5) support wildcard in the name? I'm asking this because we were asked to host some sites that include online store, and I think that most users when they see warning goes with the default (which is not to continue display the page). btw, after discussing it with my boss, we decided to buy certificate from versign. will this change the picture? thanx -- Haim Try this -> http://httpd.apache.org/docs-2.1/ssl/ssl_faq.html#msie
Re: name based virtual host and apache-ssl - thanx
At 18:14 on Wed, 24 Mar 2004, Elmar S. Heeb wrote: > Well, actually there is a solution: use wild cards in the name of the > keys. You can make the certificate for *.mycompany.com for several web > sites within mycompany.com, or you can go so far as to use * for any host > name. Most modern browsers will accept such a certificate, some will > complain and still accept it. In my experience, *.mycompany.com would match foo.mycompany.com but not foo.bar.mycompany.com - which may be sufficient if you can get into people's heads that the domains are www.mycompany.com and sales.mycompany.com and definitely not www.sales.mycompany.com So I have a feeling that * would match 'com' or 'org' but nothing more useful. Though it may vary from browser to browser. -- Chris "No candidate achieved quota: | "Candidates elected: Action: Eliminate 150 students and| Yes" transfer their votes." - DEVote (11/3/04) | - Beremiz (13/3/04)
Re: name based virtual host and apache-ssl - thanx
Michael Stone wrote: > On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote: >>Well, actually there is a solution: use wild cards in the name of the >>keys. You can make the certificate for *.mycompany.com for several web >>sites within mycompany.com, > > That's probably not particularly useful for a virtual hosting service > (presumably, customers would like their own name, otherwise they could > just have ~whatever). > >>or you can go so far as to use * for any host name. > > Getting that signed by a useful registrar would be a trick. but does all the IE versions (let's say since version 5) support wildcard in the name? I'm asking this because we were asked to host some sites that include online store, and I think that most users when they see warning goes with the default (which is not to continue display the page). btw, after discussing it with my boss, we decided to buy certificate from versign. will this change the picture? thanx -- Haim
Re: name based virtual host and apache-ssl - thanx
Haim Ashkenazi wrote: Michael Stone wrote: On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote: Well, actually there is a solution: use wild cards in the name of the keys. You can make the certificate for *.mycompany.com for several web sites within mycompany.com, That's probably not particularly useful for a virtual hosting service (presumably, customers would like their own name, otherwise they could just have ~whatever). or you can go so far as to use * for any host name. Getting that signed by a useful registrar would be a trick. but does all the IE versions (let's say since version 5) support wildcard in the name? I'm asking this because we were asked to host some sites that include online store, and I think that most users when they see warning goes with the default (which is not to continue display the page). btw, after discussing it with my boss, we decided to buy certificate from versign. will this change the picture? thanx -- Haim Try this -> http://httpd.apache.org/docs-2.1/ssl/ssl_faq.html#msie -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
At 18:14 on Wed, 24 Mar 2004, Elmar S. Heeb wrote: > Well, actually there is a solution: use wild cards in the name of the > keys. You can make the certificate for *.mycompany.com for several web > sites within mycompany.com, or you can go so far as to use * for any host > name. Most modern browsers will accept such a certificate, some will > complain and still accept it. In my experience, *.mycompany.com would match foo.mycompany.com but not foo.bar.mycompany.com - which may be sufficient if you can get into people's heads that the domains are www.mycompany.com and sales.mycompany.com and definitely not www.sales.mycompany.com So I have a feeling that * would match 'com' or 'org' but nothing more useful. Though it may vary from browser to browser. -- Chris "No candidate achieved quota: | "Candidates elected: Action: Eliminate 150 students and| Yes" transfer their votes." - DEVote (11/3/04) | - Beremiz (13/3/04) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
Michael Stone wrote: > On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote: >>Well, actually there is a solution: use wild cards in the name of the >>keys. You can make the certificate for *.mycompany.com for several web >>sites within mycompany.com, > > That's probably not particularly useful for a virtual hosting service > (presumably, customers would like their own name, otherwise they could > just have ~whatever). > >>or you can go so far as to use * for any host name. > > Getting that signed by a useful registrar would be a trick. but does all the IE versions (let's say since version 5) support wildcard in the name? I'm asking this because we were asked to host some sites that include online store, and I think that most users when they see warning goes with the default (which is not to continue display the page). btw, after discussing it with my boss, we decided to buy certificate from versign. will this change the picture? thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote: Well, actually there is a solution: use wild cards in the name of the keys. You can make the certificate for *.mycompany.com for several web sites within mycompany.com, That's probably not particularly useful for a virtual hosting service (presumably, customers would like their own name, otherwise they could just have ~whatever). or you can go so far as to use * for any host name. Getting that signed by a useful registrar would be a trick. Mike Stone
Re: name based virtual host and apache-ssl - thanx
On Wed, 24 Mar 2004, Haim Ashkenazi wrote: > Haim Ashkenazi wrote: > > > Hi > > > > I'm running a web (ssl) server with several virtual domains. at the moment > > they are name based (non-ip) which of course produce a warning in the > > user's browser when he try to connect to a host that is not the default > > one (key). I've looked in the documentation and found that ssl doesn't > > support name based virtual domains. I was wondering if there is a way > > around that (like using rewrite rules). say I want to offer web hosting, > > do I need to have different IP for every https domain I'm hosting? this > > could result in having to buy a few hundred IP's... > > > well, I guess I'll have to use all my IP's... Well, actually there is a solution: use wild cards in the name of the keys. You can make the certificate for *.mycompany.com for several web sites within mycompany.com, or you can go so far as to use * for any host name. Most modern browsers will accept such a certificate, some will complain and still accept it. As far as security is concerned, the encryption is just as secure as with any other certificate. The only problem might arise if someone steals the private key and sets up another web site. They can then pretend you signed the certificate for their site and use it in a phishing attack. However, the barrier for phishing attacks low because of social engineering and not because of fake certificates. And then you can guard your private key in the first place. Hope this helps. -- Elmar -- Dr. Elmar S. Heeb, HPV F58email: [EMAIL PROTECTED] Departement Physik, ETH Zurichvoice: +41 1 633 2591 CH-8093 Zurichfax: +41 1 633 1239 Switzerland mobile: +41 79 628 7524
Re: name based virtual host and apache-ssl - thanx
On Wed, Mar 24, 2004 at 06:14:52PM +0100, Elmar S. Heeb wrote: Well, actually there is a solution: use wild cards in the name of the keys. You can make the certificate for *.mycompany.com for several web sites within mycompany.com, That's probably not particularly useful for a virtual hosting service (presumably, customers would like their own name, otherwise they could just have ~whatever). or you can go so far as to use * for any host name. Getting that signed by a useful registrar would be a trick. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
On Wed, 24 Mar 2004, Haim Ashkenazi wrote: > Haim Ashkenazi wrote: > > > Hi > > > > I'm running a web (ssl) server with several virtual domains. at the moment > > they are name based (non-ip) which of course produce a warning in the > > user's browser when he try to connect to a host that is not the default > > one (key). I've looked in the documentation and found that ssl doesn't > > support name based virtual domains. I was wondering if there is a way > > around that (like using rewrite rules). say I want to offer web hosting, > > do I need to have different IP for every https domain I'm hosting? this > > could result in having to buy a few hundred IP's... > > > well, I guess I'll have to use all my IP's... Well, actually there is a solution: use wild cards in the name of the keys. You can make the certificate for *.mycompany.com for several web sites within mycompany.com, or you can go so far as to use * for any host name. Most modern browsers will accept such a certificate, some will complain and still accept it. As far as security is concerned, the encryption is just as secure as with any other certificate. The only problem might arise if someone steals the private key and sets up another web site. They can then pretend you signed the certificate for their site and use it in a phishing attack. However, the barrier for phishing attacks low because of social engineering and not because of fake certificates. And then you can guard your private key in the first place. Hope this helps. -- Elmar -- Dr. Elmar S. Heeb, HPV F58email: [EMAIL PROTECTED] Departement Physik, ETH Zurichvoice: +41 1 633 2591 CH-8093 Zurichfax: +41 1 633 1239 Switzerland mobile: +41 79 628 7524 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl - thanx
Haim Ashkenazi wrote: > Hi > > I'm running a web (ssl) server with several virtual domains. at the moment > they are name based (non-ip) which of course produce a warning in the > user's browser when he try to connect to a host that is not the default > one (key). I've looked in the documentation and found that ssl doesn't > support name based virtual domains. I was wondering if there is a way > around that (like using rewrite rules). say I want to offer web hosting, > do I need to have different IP for every https domain I'm hosting? this > could result in having to buy a few hundred IP's... > well, I guess I'll have to use all my IP's... pity... thanx -- Haim
Re: name based virtual host and apache-ssl
On Wed, 2004-03-24 at 08:01, Russell Coker wrote: > On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote: > > The best you could do would be to attach different certificates to > > different ports, but that would be extremely cumbersome and probably > > would lead to confusion. > > What if you had http://www.company1.com/ redirect to > https://www.company1.com:81/ and http://www.company2.com/ redirect to > https://www.company2.com:82/ ? > > www.company1.com and www.company2.com would have the same IP address. This > should work. Why go that route. Many Proxies do not allow :81 :82 etc... It would suck. How many instances would that force you to run anyway. Many. Almost be easier to just say SSL == Separate virtual/real machine, and that would suck as well. But, on the flip-side, most companies/people wanting SSL typically want their own machine to keep the info "safe" from other prying eyes. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: name based virtual host and apache-ssl
On Thu, Mar 25, 2004 at 12:01:07AM +1100, Russell Coker wrote: On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote: The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? That's what I'm talking about. The problem is that people will likely try to just hit https://www.company?.com/ and won't get what they expect. IOW, it's technically possible but socially awkward. Mike Stone
Re: name based virtual host and apache-ssl
On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote: > The best you could do would be to attach different certificates to > different ports, but that would be extremely cumbersome and probably > would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? www.company1.com and www.company2.com would have the same IP address. This should work. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:18:58PM +0100, J.H.M. Dassen (Ray) wrote: > Yes, see "How to use TLS in application protocols" under > http://www.gnu.org/software/gnutls/documentation/gnutls/gnutls.html for > details. Interesting - I didn't know this was possible! There's even support for it in Apache 2... but do today's browsers support it? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: name based virtual host and apache-ssl - thanx
Haim Ashkenazi wrote: > Hi > > I'm running a web (ssl) server with several virtual domains. at the moment > they are name based (non-ip) which of course produce a warning in the > user's browser when he try to connect to a host that is not the default > one (key). I've looked in the documentation and found that ssl doesn't > support name based virtual domains. I was wondering if there is a way > around that (like using rewrite rules). say I want to offer web hosting, > do I need to have different IP for every https domain I'm hosting? this > could result in having to buy a few hundred IP's... > well, I guess I'll have to use all my IP's... pity... thanx -- Haim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
Haim Ashkenazi wrote: Hi I'm running a web (ssl) server with several virtual domains. at the moment they are name based (non-ip) which of course produce a warning in the user's browser when he try to connect to a host that is not the default one (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. I was wondering if there is a way around that (like using rewrite rules). say I want to offer web hosting, do I need to have different IP for every https domain I'm hosting? this could result in having to buy a few hundred IP's... Best solution is to have IP for each virtual domain. Tricky solution is to use X509v3 extension in certificate called alternativeHostname. You can have many alternativeHostname records in one certificate. Usig this you can use one certificate for all domains. But this is realy ugly solution. You have to regenarate certificate each time some of your domains changes. And of course some clients do not understand X509v3 extensions. Ivan Brezina
Re: name based virtual host and apache-ssl
On Wed, 2004-03-24 at 08:01, Russell Coker wrote: > On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote: > > The best you could do would be to attach different certificates to > > different ports, but that would be extremely cumbersome and probably > > would lead to confusion. > > What if you had http://www.company1.com/ redirect to > https://www.company1.com:81/ and http://www.company2.com/ redirect to > https://www.company2.com:82/ ? > > www.company1.com and www.company2.com would have the same IP address. This > should work. Why go that route. Many Proxies do not allow :81 :82 etc... It would suck. How many instances would that force you to run anyway. Many. Almost be easier to just say SSL == Separate virtual/real machine, and that would suck as well. But, on the flip-side, most companies/people wanting SSL typically want their own machine to keep the info "safe" from other prying eyes. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets that kids light off down at the playfield. -- Thane Walkup signature.asc Description: This is a digitally signed message part
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 06:22:35AM -0500, Michael Stone wrote: > On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote: > >(key). I've looked in the documentation and found that ssl doesn't support > >name based virtual domains. > > Correct; that would be impossible (the SSL session is established before > the client sends the name of the host it is looking for). I've heard somewhere that it might be possible to specify multiple subjects in a single X.509 cert. That would solve the problem, provided that the clients supported this feature.. Could you confirm/refute the rumour? bit, adam -- Seven deadly sins | 1024D/37B8D989 | Seven signs Seven gates to hell | 954B 998A E5F5 BA2A 3622 | Seven lies Seven world wonders | 82DD 54C2 843D 37B8 D989 | Seven days Seven years bad luck | http://sks.dnsalias.net | Seven dreams
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote: (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. Correct; that would be impossible (the SSL session is established before the client sends the name of the host it is looking for). I was wondering if there is a way around that No. say I want to offer web hosting, do I need to have different IP for every https domain I'm hosting? Yes. The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. Mike Stone
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:55:11 +0200, Haim Ashkenazi wrote: > I've looked in the documentation and found that ssl doesn't support name > based virtual domains. Yes, see "How to use TLS in application protocols" under http://www.gnu.org/software/gnutls/documentation/gnutls/gnutls.html for details. HTH, Ray -- What is this talk of software 'releases'? Klingons do not 'release' software; our software ESCAPES, leaving a bloody trail of designers and quality assurance people in its wake!
Re: name based virtual host and apache-ssl
On Thu, Mar 25, 2004 at 12:01:07AM +1100, Russell Coker wrote: On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote: The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? That's what I'm talking about. The problem is that people will likely try to just hit https://www.company?.com/ and won't get what they expect. IOW, it's technically possible but socially awkward. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, 24 Mar 2004 22:22, Michael Stone <[EMAIL PROTECTED]> wrote: > The best you could do would be to attach different certificates to > different ports, but that would be extremely cumbersome and probably > would lead to confusion. What if you had http://www.company1.com/ redirect to https://www.company1.com:81/ and http://www.company2.com/ redirect to https://www.company2.com:82/ ? www.company1.com and www.company2.com would have the same IP address. This should work. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:18:58PM +0100, J.H.M. Dassen (Ray) wrote: > Yes, see "How to use TLS in application protocols" under > http://www.gnu.org/software/gnutls/documentation/gnutls/gnutls.html for > details. Interesting - I didn't know this was possible! There's even support for it in Apache 2... but do today's browsers support it? Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
Haim Ashkenazi wrote: Hi I'm running a web (ssl) server with several virtual domains. at the moment they are name based (non-ip) which of course produce a warning in the user's browser when he try to connect to a host that is not the default one (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. I was wondering if there is a way around that (like using rewrite rules). say I want to offer web hosting, do I need to have different IP for every https domain I'm hosting? this could result in having to buy a few hundred IP's... Best solution is to have IP for each virtual domain. Tricky solution is to use X509v3 extension in certificate called alternativeHostname. You can have many alternativeHostname records in one certificate. Usig this you can use one certificate for all domains. But this is realy ugly solution. You have to regenarate certificate each time some of your domains changes. And of course some clients do not understand X509v3 extensions. Ivan Brezina -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 06:22:35AM -0500, Michael Stone wrote: > On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote: > >(key). I've looked in the documentation and found that ssl doesn't support > >name based virtual domains. > > Correct; that would be impossible (the SSL session is established before > the client sends the name of the host it is looking for). I've heard somewhere that it might be possible to specify multiple subjects in a single X.509 cert. That would solve the problem, provided that the clients supported this feature.. Could you confirm/refute the rumour? bit, adam -- Seven deadly sins | 1024D/37B8D989 | Seven signs Seven gates to hell | 954B 998A E5F5 BA2A 3622 | Seven lies Seven world wonders | 82DD 54C2 843D 37B8 D989 | Seven days Seven years bad luck | http://sks.dnsalias.net | Seven dreams -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:55:11PM +0200, Haim Ashkenazi wrote: (key). I've looked in the documentation and found that ssl doesn't support name based virtual domains. Correct; that would be impossible (the SSL session is established before the client sends the name of the host it is looking for). I was wondering if there is a way around that No. say I want to offer web hosting, do I need to have different IP for every https domain I'm hosting? Yes. The best you could do would be to attach different certificates to different ports, but that would be extremely cumbersome and probably would lead to confusion. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: name based virtual host and apache-ssl
On Wed, Mar 24, 2004 at 12:55:11 +0200, Haim Ashkenazi wrote: > I've looked in the documentation and found that ssl doesn't support name > based virtual domains. Yes, see "How to use TLS in application protocols" under http://www.gnu.org/software/gnutls/documentation/gnutls/gnutls.html for details. HTH, Ray -- What is this talk of software 'releases'? Klingons do not 'release' software; our software ESCAPES, leaving a bloody trail of designers and quality assurance people in its wake! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
