On Sat, 8 Nov 2008, Jeff Ross wrote: > My ssl hosts work.openvistas.net and cvs.work.openvistas.net resolve > to the same IP address as everything else from the internet, but to > different internal IP addresses beginning at 10.30.50.1 with a split > horizon DNS setup. These two use two different self-signed certs, each > with the correct server name in the cert.
You can't do this reliably without TLS SNI (Server Name Identification): http://en.wikipedia.org/wiki/Server_Name_Indication Basically, without SNI the TLS connection is established and the server certificate is sent before the client sends the hostname. The server therefore has no way of knowing which certificate to send to the client. SNI allows the client to request a specific host as part of the TLS handshake, so the server can select a certificate to send. Source code to implement SNI is present in OpenBSD -current's OpenSSL but is disabled. I'll look at turning it on when OpenSSL makes a stable release with it enabled. SNI in OpenSSL is only one prerequisite though, it also need to be supported by Apache or whatever HTTP server you are using. The in-tree Apache doesn't support SNI, but perhaps apache2 in ports does. Another problem is that only relatively new browsers support SNI. Firefox 3 does, but I'm not sure about IE. Non-webkit mobile browsers are not likely to support it at all. If you care about supporting a diverse range of clients then SNI may not help you. -d
