web: Half an operating system: The triumph and tragedy of OS/2 | Ars Technica
Interesting (long) recap... http://arstechnica.com/business/2013/11/half-an-operating-system-the-triumph-and-tragedy-of-os2/ -- Gabriel Goldberg, Computers and Publishing, Inc. g...@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 LinkedIn: http://www.linkedin.com/in/gabegoldTwitter: GabeG0 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Thoughts on multiple certificates for Apache host
Certs for securing connections have always been a "black art" to me. So, I have a feeling that a few of you on this list will probably have some good ideas for us. We run a lot of Apache web servers on zLinux (SLES 11 mainly). Several are "general use" web servers, i.e. we have a lot of little web sites running as vhosts on one virtual server. They all share the same IP address and Apache sorts out "who is who" on the incoming transaction based on the URL requested. Now, from what little I understand of certs, there can be only 1 per IP address. So, if we get cert for the general use web server, it will apply to all vhosts on that server. If we want individual certs for each vhost, we would have to supply an IP/NIC for each. Do I have that correct? If so, any ideas on how to get around that? For example, could we host multiple IPs from the same NIC if the server is on a layer 2 vswitch? (Will it do trunking, basically?) Is there an easier way to approach this? Martha -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Thoughts on multiple certificates for Apache host
On Tue, 26 Nov 2013, Martha McConaghy wrote: > Now, from what little I understand of certs, there can be only 1 per IP > address. formerly true, but not so any more for quite some time see: http://www.ietf.org/rfc/rfc3546.txt for the standard , called SNI -- Server Name Indication (section 3.1 and following). The RFC dates from June 2003 but it took a few years to propigate through the system ;) > So, if we get cert for the general use web server, it will apply to > all vhosts on that server. If we want individual certs for each vhost, we > would have to supply an IP/NIC for each. Do I have that correct? If so, > any ideas on how to get around that? As I say, SNI gets around this http://www.digicert.com/ssl-support/apache-secure-multiple-sites-sni.htm in browsers that know how to use it. Any recent browser will; older browsers should be retired anyway as they almost certainly have unpatched security issues http://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm [ No particular reason to prefer their doco, but a search on Google put it forth first ] We have done it with the StartCom SSL certs as well in the past. I recall editting the file from mod_ssl in /etc/httpd/conf.d/ , rather than the vhost specification .conf file , but this is local workflow related -- Russ herrold -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: Thoughts on multiple certificates for Apache host
On Tue, Nov 26, 2013 at 3:58 PM, Martha McConaghy wrote: > Certs for securing connections have always been a "black art" to me. So, I > have a feeling that a few of you on this list will probably have some good > ideas for us. Black art ... fair assessment. But rest easy; just pay no attention to that man behind the curtain. > We run a lot of Apache web servers on zLinux (SLES 11 mainly). Several are > "general use" web servers, i.e. we have a lot of little web sites running as > vhosts on one virtual server. They all share the same IP address and Apache > sorts out "who is who" on the incoming transaction based on the URL requested. Right. Virtual hosting. > Now, from what little I understand of certs, there can be only 1 per IP > address. So, if we get cert for the general use web server, it will apply to > all vhosts on that server. If we want individual certs for each vhost, we > would have to supply an IP/NIC for each. Do I have that correct? If so, > any ideas on how to get around that? Sad, but true. However, if the virtual hosts can all fit under one wildcard, you may get some relief. You'd still have only one certificate, but you would not lose your virual hosting. See Apache's wiki page about this ... http://wiki.apache.org/httpd/NameBasedSSLVHosts > For example, could we host multiple IPs from the same NIC if the server is > on a layer 2 vswitch? (Will it do trunking, basically?) Is there an easier > way to approach this? Works on my Layer 2 VSwitch. > Martha > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ -- -- R; Rick Troth Velocity Software http://www.velocitysoftware.com/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
