Well, that's a common misunderstanding of HTTPS. Imagine that you are a web server. A TCP connection comes in. You then negotiate SSL paremeters over that TCP connection. After (and if) the SSL parameters are negotiated you receive over the SSL tunnel the HTTP request which includes, besides other things, the Host field. Now.. How can you know which certificate to use when you still don't know the vhost name? :) It is a chicken and egg problem as you see. The only way around it is to use separate IP addresses for each ssl enabled vhost.
It is very nicely documented in the mod_ssl manual. BR, Boyan Krosnov, CCIE#8701 http://boyan.ludost.net/ just another techie speaking for himself -----Original Message----- From: D. Clarke [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 5:07 AM To: debian-isp@lists.debian.org Subject: Re: Apache-SSL 'n Cert Fun Hi, Thanks. I decrypted it this afternoon actually and it works fine. Still bugs me that it doesn't work with it encrypted, but that's another day [and not my problem :)] However, the next problem is... With Two vhosts configured, apache-ssl seems to only send out the cert for the 'default' domain regardless of which vhost I go after. Even though each vhost has a seperate specified .pem file. Yippi. :( ~ Darryl ----- Original Message ----- From: "Craig Sanders" <[EMAIL PROTECTED]> To: "D. Clarke" <[EMAIL PROTECTED]> Cc: <debian-isp@lists.debian.org> Sent: Sunday, March 02, 2003 8:13 PM Subject: Re: Apache-SSL 'n Cert Fun > On Sun, Mar 02, 2003 at 08:01:20AM -0500, D. Clarke wrote: > > apache-ssl works fine without an encrypted test key & cert... once > > encrypted pewf, it dies (which I need, because that's how the client > > gave it to me... ugh.) > > > > Any new ideas? :) > > use openssl and the pass-phrase to decrypt the cert. then configure > apache to use the decrypted copy. > > > using encrypted certificates on a web server is worse than useless. > either: > > 1. you store the pass-phrase on the server so that the startup scripts > can read it (which is pointless, any attacker that could get an > unencrypted cert could also get an encrypted cert plus the passphrase) > > or > > 2. you manually enter the passphrase every time apache is restarted. > this effectively prevents automatic startup of your web server at boot > time (e.g after a power failure, or kernel upgrade etc), and also > makes it impossible for staff to restart the server unless they know > the pass-phrases for all encrypted keys used by the server. > > > since there's no security advantage in using encrypted certificates > (item #1 above), and significant operational disadvantages (item #2), > your best bet is to use unencrypted certificates. > > > craig > > -- > craig sanders <[EMAIL PROTECTED]> > > Fabricati Diem, PVNC. > -- motto of the Ankh-Morpork City Watch > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
