-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
This link might help. https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI However this relies on an extension to TLS calles SNI (server name indication), which sadly isn't implemented in all clients, some less popular or older browsers for example. So it may not work in some cases, depending on the client libraries and the client software. The SW using openssl needs to issue an extra call to make use of it. I think it's SSL_set_tlsext_host_name. But that's not the point. The point is some software doesn't do that. It works without it in most cases, so nobody catches it until somebody complains a decade after HTTPS was coded. :-) By which time nobody remembers how it was done. The safest bet is to have an extra IP address. PS, if you do this, IMHO you might want to watch the logs for a while to see if any problems arise (I saw some crap about SNI when I tested it some time back). PPS anybody has any idea about the PKS/SKS clients out there? I.e. if they do this correctly? I only tested web browsers myself. Martin On 06/01/2014 11:05 PM, John Zaitseff wrote: > Hi, > > I am setting up https://keyserver.zap.org.au/ to be used by > hkps.pool.sks-keyservers.net. I am trying to serve different SSL > certificates depending on the incoming hostname. Does anyone know > if this is possible within the SAME VirtualHost configuration > block under Apache? > > My current configuration includes: > > <VirtualHost *:11372 *:443> ServerAdmin keymas...@zap.org.au > ServerName keyserver.zap.org.au ServerAlias *.sks-keyservers.net > > SSLEngine on > > # Only allow secure ciphers and protocols: SSLv3 and TLSv1 > SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 > > SSLCertificateFile /etc/ssl/certs/keyserver.pem > SSLCertificateKeyFile /etc/ssl/private/keyserver.pem > SSLCACertificateFile /etc/ssl/certs/ZAP_Group_CA_Root.pem > > <Proxy *> Order allow,deny Allow from all </Proxy> > > ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / > http://127.0.0.1:11371/ ProxyVia On > > SetEnv proxy-nokeepalive 1 > > ... </VirtualHost> > > I know I can create a second VirtualHost block with > SSLCertificateFile, SSLCertificateKeyFile and SSLCACertificateFile > pointing to the sks-keyservers.net-generated certificates, but is > it possible to do this within the SAME VirtualHost block, based on > environment variables, etc.? > > Yours truly, > > John Zaitseff > > -- John Zaitseff ,--_|\ The ZAP Group Phone: > +61 2 9643 7737 / \ Sydney, Australia E-mail: > j.zaits...@zap.org.au \_,--._* http://www.zap.org.au/ v > > _______________________________________________ Sks-devel mailing > list Sks-devel@nongnu.org > https://lists.nongnu.org/mailman/listinfo/sks-devel > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTi6V0AAoJELsEaSRwbVYr7R4QAKUeoqYhZLNeB1SsHowzG4YB 4p1yllsEgqui174R17vh8ueZoc1jfKWVthLgk42LGrG2ATOlb/1Rr/yRBhnd6+R8 9459NnL419x9AYQ7eF/ijy1lx4iIFjqco+a2qEtfga/6GhSwZ/gwLlnOqGbJmiPP QjxqD26Fs/WADxBbupMbEBPtxgM73zNtP+YiLVxHL9Lp4ITs8Gzog2XIZvPvZ/9L yjF5Ckczce+IhAmsKKHy2k/Qg7pC3DnuNkYr/lA5FJfFSNxIImaq4G0ieDQCRqoZ k7TSkB/fPaxSJhX92zl1Jja22eqtlQnVVuChLdcYoiGpbhvTpyjkR6wn6i4dbFfr QnH6ra1D771t7Q5IK3nbyGSnTxxY31dxZJxTIFLNugwLEtJuXuK4nVMQSPWzRTni ekKwUMDMpC8TP7tYgNOcV12GMYvNJI9pMaGEVsK2rq0QeDCAhVZL48lGpzp+wkvl yQkX9AFoMQarR5NWcHWYqbuth0N/TTG3obxav3DnDYbfsvAwp8WlbR89pj3mplri 5p8i/EQdbKhzIf3JcoiISWBgPYgicLGPwhZR4S71VIfs1siLFpunXmAZAXlg0idf 2pOxh89ocKj7UoOSQT6G6kCN+Y5c+sC14bgw5xwkjrF5k16Wx09LmgFRdByoR4fs EGeCBsD1bhy4GHy+G6hb =A9zy -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel