"Kevin Murphy" <kevinpatrickmur...@gmail.com> writes: >...would like to get some clarification on the above points. >It would be terrific if I could use one certificate for multiple hosts.
Kevin: That is the default behavior of Apache when you configure the SSL enabled web server instance to respond on all IP addresses (with a wild card) on the port: a single certificate responds to all requests on the port. The only way to offer different certificates in Apache is to create separate SSL instances responding on different IP addresses and/or ports. Fortunately, it seems you're getting what you need! I believe the article you referenced describes how to recompile Apache with GnuTLS and patches to offer multiple certificates on the same IP address and port, much like virtualhost can offer different docroots on the same IP address and port. >From my limited understanding, virtualhost certificates on the same IP address and port, are still a work in progress with Apache server and would require a RFC4633 compliant client. Cheers, .............................. Mark Lavi, Senior Web Producer, SGI ml...@sgi.com || tel: 408.524.7347 || sgi.com <http://www.sgi.com/> Innovation for Results ________________________________ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kevin Murphy Sent: Thursday, January 08, 2009 9:51 PM To: openssl-users@openssl.org Subject: TLS SSL and virtual hosts Hi OpenSSL Users, I am setting up an Ubuntu 8.10 LAMP server on a Linode VPS. I have an older Ubuntu 6.10 vps set up as well that I configured with self signed certificates and CACert. I would like to set this new server up with a certificate from Thawte, or Verisign, et el (I'm open to suggestions)... But, more importantly I was wondering if anyone could clarify something for me. I am reading conflicting information with regards to ssl certs and vhosts. I came accross a couple "howto" articles for setting up one certificate that will cover all virtual hosts on a web server... one static IP, one certificate, multiple sites, lots of saved money! One post did this using gnutls, http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual- hosts-with-mod_gnutls/ another post using recompiled Apache and OpenSSL, http://howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-ex tensions-on-debian-etch One knowledgable person claimed that the gnutls method would hinder performance, while a different and more recent post claimed that the lattest gnutls is now the better way to go. These posts are all made in 2006 - 2007, I can't find any recent howto's or information as to whether OpenSSL or Apache still require recompiling (I don't have any experience with that, just "apt-get install..." and configure) or whether this can really be done effectively as the Apache docs claim it cannot be (http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts). Needless to say, I am new to SSL, CA's, encryption, etc, and would like to get some clarification on the above points. It would be terrific if I could use one certificate for multiple hosts. I do realize that folks with older browsers would still get a security warning, but I think the ability to have multiple hosts under one certificate would be far more beneficial! Thanks in advace for the help opensslers, Kevin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
