You comments are right, but there is sole evolution.See my mail from Feb 6, the openssl library contains a patch for the TLS extension
of servername (which still needs to be implemented in browsers), but atleast the following patch for apache2 (working with a current openssl snapshot
not only support the TLS servername extension but also a renegotiation when the Host: is not "the default" one and you don't have a TLS extension. The effects may be somewhat surprising.
Hello,I just have put together the small patch for apache 2.2.0 which allows to use the sernername extension logic in the development snapshot in order to select a different ssl context, and also to renegotiate if the vhost indicated by Host: has a different SSL_ctx (e.g. certificate).
The patch also includes a little "const" fix due the SSL_method change.See http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch
and http://www.edelweb.fr/EdelKey/ for the background story Have fun Peter [EMAIL PROTECTED] wrote:
Thanks. Pretty much confirm what I thought. The OPENSSL API is so rich and I havn't touch it (web server) in a while, I figured it wouldn't hurt to ask. Beating a dead horse. :-) Thanks again. --- Hector On 3/13/06 9:46 AM, Ted wrote:I don't think you can use SSL make multiple (virtual) servers work on one IP-Address and Port. Virtual Servers work with a HTTP 1.1 Header fierld (the "Host:"-Header) whereas SSL Handshake takes place before any HTTP headers are exchanged. So the server has no way to decide which certificate to present during SSL handshake and the browser will complain (and typically won't even start to send the HTTP headers) if the server sends the wrong one.I think it should work if you can bind the virtual servers to different ports, though I have not tried this myself. Using different IP-Addresses for the virtual servers should be no problem, I have done this multiple times using IIS.Hope it helps. Ted ;)______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
