Re: certificates for multiple domains

Wed, 05 Dec 2001 16:19:48 -0800 

The problem is not from Apache or whatever the web server you use. The
point is that named virtual host is not possible with SSL.

The very first thing that comes with an HTTPS connection is the SSL
handshaking, and then the HTTP request. In the SSL handshaking, the server
sends the certificate to the client (and optionally requests a certificate
from the client), and they both negociate cipher parameters.

Once the SSL layer has been established, the HTTP request can get through,
and at only this moment the client informs the server of the named virtual
host he'd like to talk to... Too bad, the certificate has already been
sent, and the client has already displayed the warning telling that the
certificate has surely been stolen...

Apache can't do anything here.

On Wed, 5 Dec 2001, Jason Hendriks wrote:

> Even with Apache?  Surely you can configure the web server to virtual-host
> two separate domains both with SSL support?
>
>
> ----- Original Message -----
> From: "Lutz Jaenicke" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 05, 2001 5:11 PM
> Subject: Re: your mail
>
>
> > On Wed, Dec 05, 2001 at 02:47:39PM -0500, Jason Hendriks wrote:
> > > I needed an SSL certificate for my POP3-SSL server (ipopd), so I created
> a self-signed certificate using the CA.pl tool and openssl.  It works fine,
> but my question is since there are two domains for this machine's IP, how
> can I create a certificate for more than one common name?  Do I have to
> create two certificates and configure the daemon to look at both?  Or do I
> combine two certificates into one somehow?
> >
> > It is not possible to have two domains on one IP, as there is only one
> > CommonName entry available in a certificate.
> > In the future it may be possible to have more than one entry by using
> > the dNSName feature of SubjectAlternateName, but as far as I know,
> > this is not widely supported by client software (read this last statement:
> > I don't know of any client software supporting it).

-- 
Erwann ABALEA
[EMAIL PROTECTED]
RSA PGP Key ID: 0x2D0EABD5
-----
Looking at Sun man pages versus Linux man pages is like
looking at a Van Gogh or Monet after studying the
work of the high school football player taking
art as an "easy" elective.
                                     Amy Graf, BitMover

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to