> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm > Sent: Wednesday, 18 April, 2012 07:57
> On 4/17/2012 7:00 PM, Nou Dadoun wrote: > > Quick question regarding certificate usage in an ssl > connection; you can associate a number of certificates with a > server endpoint - is there any way of deciding at runtime > which certificate is presented to the client (depending on > the identity of the client say). > Unfortunately not (almost, read on). > > This has been a major problem for the top use of SSL/TLS: > https web servers. > > Currently the two most common workarounds are either: > > A. Assign a separate IP address or port to each certificate > (costly given the worldwide shortage of IPv4 addresses and > the "default firewall configuration" induced shortage of > usable TCP ports). > yes. > B. Generate a certificate which covers all the desired > identities, either via wildcards or SubjectAlternativeNames. > and map multiple DNS names to same IP address, yes. > However recent TLS versions have introduced a new mechanism > where the client can tell the server which name it wants a > certificate for. This is still not widely available in > web browsers and other stock clients, but that should improve > over time. Called Server Name Indication, abbreviated SNI. But note SNI or address/port selects server cert based on the server *chosen* by the client -- not client *identity* as the OP halfheartedly requested. If you want to select based on the client, you must do it indirectly by having different clients/groups use different server 'faces', maybe by giving them different URLs/links to click. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
