On Sat, Aug 28, 2004, Ralph wrote: > Charles B Cranston wrote: > > > > I'm trying to set up an Apache 2 based web server for multiple > > > name based virtual hosts. As it is not possible with mod_ssl to > > > have a seperate SSL certificate file for each virtual host... > > > > Actually, you can, but they have to have separate IP addresses. > > (Requiring the server host to be multi-homed...) > > As I wrote, I was talking about multiple name based (!) virtual hosts, > and the mod_ssl FAQ states that you can't have a seperate SSL cert file > for each of them <http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47>. I > know that multiple IP based virtual hosts are a different matter, but > unfortunately I only have on IP address available for the host in > question. >
Well not at present you can't. With TLS extensions this will be possible but currently OpenSSL doesn't support them and very few browsers do either. > What I am trying to achieve is that this single host uses one cert which > includes multiple CNs, so that given the following DNS entries > > www.domain1.org. IN A 123.234.123.234 > www.domain2.net. IN A 123.234.123.234 > www.domain3.com. IN A 123.234.123.234 > > users can access the server via > > https://www.domain1.org/ > https://www.domain2.net/ > https://www.domain3.com/ > > without a warning about the URL host name not matching the certificate > common name. I know that with mod_ssl all three URLs will result in the > same web page to be displayed, but that is acceptable in this special > case where a couple of domains are to mapped to one single web site. > > Stephen Henson's suggestion allowed me to create and sign a certificate > including multiple CNs. Using the Internet Explorer, any of the above > URLs are accepted without a warning. With Mozilla and Mozilla Firefox, > however, only the first available CN in the certificate is matched > against the URL host name. If there is a way to alter this behaviour, > I'd be glad to hear how, but as I wrote before, there are other mailing > lists probably better suited for this matter. Of course, if you know how > to persuade Mozilla/Firefox to not display their warnings, please do > speak up here! ;-) > With the disclaimer that I haven't tried this... Try adding multiple subjectAltName extensions with the option "DNS". This is the official way to indicate a hostname putting it in CN is just for compatibility with legacy applications. Please post the results. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
