I guess my comments were kind of conditioned on the certificate
being for HTTPS, however, the underlying problem occurs in all
SSL transfers: when multiple domain names resolve to the same IP
address there is no way for a server to know which of the
certificates to present, and since the negotiation of the secure
channel happens before the channel opens there is no way to
deduce which domain name was originally given from data given
in the channel, since it is not yet open.
I guess TLS gets around this, since you could at least
theoretically defer switching the channel into secure mode
until AFTER enough information has been presented by the
initiator for the responder to know which certificate the
initiator is going to expect.
Charles B Cranston wrote:
I think the complication is that he's going to have to use
the virtual hosts stuff so that the correct certificate can
be returned to each connection, and that this means he's
going to have to have two different IP addresses, since there
will be no way to determine WHICH certificate to send.
This is due to the chicken-and-egg problem of having to know
which certificate to send WHEN THE CONNECTION IS OPENED,
BEFORE ANY SUBMISSION HEADERS CAN BE READ.
So what he needs is:
Two different IP addresses.
Two different virtual hosts. In Apache they would be identical
except for the SSLCertificateFile directive.
Bernhard Froehlich wrote:
David Smead schrieb:
Greetings,
I'm running Debian testing.
I have a machine with two static IPs, presently on one NIC using a
virtual
interface. I'd like to make two self-signed certs, one per IP. Is this
possible given that the machine only has one hostname?
If it matters, the two IPs differ by just the last digit, but one IP
is a
.com, and the other is a .net.
If necessary I can put in a second NIC so that there would be different
MACs.
[...]
I think you're on the wrong list. Using OpenSSL you can make as many
certificates as you like. But I think your question is about using
certificates in an application like SSHD or HTTPS, which would be more
appropriate in that application's mailing lists.
At least you should tell us which application you are talking about. ;)
Ted
;)
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
