RE: multiple ssl servers on the same box?
Hi, On Fri, 3 Nov 2000, David Schwartz wrote: But if the server is both www.example.com and www.example.org, then you're out of luck. If you only use one key, can you send two certs? Or can the same cert sign for two names? DS How Please explain ! thanks hirntod __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: multiple ssl servers on the same box?
The SSL authentication process is quite complex...aka..security intended. If a certificate doesn't sinc with what it's requesting, 1:) Your browser will complain about it not being at the same location. - Original Message - From: David Schwartz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 03, 2000 7:34 PM Subject: RE: multiple ssl servers on the same box? But if the server is both www.example.com and www.example.org, then you're out of luck. If you only use one key, can you send two certs? Or can the same cert sign for two names? DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: multiple ssl servers on the same box?
On Thu, Nov 02, 2000 at 08:46:15AM -0800, Geoff Thorpe wrote: On Thu, 2 Nov 2000, Alex Bourov wrote: If you have multiple network cards on the system with various IP addresses or you assigned several IP addresses to this server, then you can distinguished between then by using VirtualHost my.ip.addy.xx:443. If you want to distinguish the web sites served by one server by the names they are accessed ( but the same IP address ) - you use VirtualHost my1.domain.name:443. umm ... not quite. The latter point, "name-based virtual hosting", does not apply to SSL. The reason is quite straightforward - namely that "named host" is sent through as part of the clear-http request from the browser. In https, SSL encapsulates the entire transport to and from the server, so the server will only find out which host it is supposed to act as once it has already chosen a certificate and performed the SSL handshake. At that point, it's too late to change its mind and whether it is "my1.domain.name:443" or "my2.domain.name:443". :-) The only way to do this is to have the domains sitting on different IP/port combinations so that Apache (and its SSL module) knows *before* beginning the SSL handshake which virtual host it is supposed to be acting as. my1.domain.name vs. my2.domain.name actually is a bad example, because a certificate containing a hostname of "*.domain.name" should work with both of these. (I'm not sure if all browers actually support this, but it would work for extranets if you tell users to avoid certain browers.) But if the server is both www.example.com and www.example.org, then you're out of luck. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
multiple ssl servers on the same box?
Hello. (First post!) First off, if I need to post questions about configuring Apache with mod_ssl somewhere else, please let me know where it is. Otherwise . . . I'm having several problems (or quandries, perhaps). The first is: when I try to specify two virtual servers using SSL like so: IfDefine SSL AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c SSLPassPhraseDialogbuiltin SSLSessionCachedbm:/path/to/ssl_cache SSLSessionCacheTimeout300 SSLMutexfile:/path/to/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog/path/to/ssl_engine_log SSLLogLevel info /IfModule NameVirtualHost my.ip.addy.xx IfDefine SSL # I tried VirtualHost _default_:443 as well. VirtualHost my.ip.addy.xx:443 ServerName ssl.mydomain.com SSLEngine on SSLCertificateFile /path/to/cert SSLCertificateKeyFile /path/to/cert/key # other normal stuff here /VirtualHost /IfDefine # other non-SSL virtual servers here IfDefine SSL VirtualHost my.ip.addy.xx:443 ServerName admin.mydomain.com SSLEngine on SSLCertificateFile /path/to/cert SSLCertificateKeyFile /path/to/cert/key # other normal stuff here /VirtualHost /IfDefine both SSL servers freak out. In particular, they cannot find CSS files and images in the proper directories. That being said, I was playing around with just making my "admin.mydomain.com" server do without SSL, so I took out all the SSL stuff from its VirtualHost directive; I then discovered something strange: All my virtual servers can be accessed with the https protocol, except they access the only server listening on port 443, 'ssl'. This is an odd "feature" that I'd like to prevent. What is the difference between saying: VirtualHost _default_:443 and VirtaulHost my.ip.addy.xx:443 ??? Is this part of my problem? Any input would be appreciated. Dean. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]