i think people have been saying SNI does not satisfy Safari browser. the ssl warning still pops up. can someone verify?
On Sat, Apr 24, 2010 at 3:03 PM, Jason Nunnelley <ja...@jasonn.com> wrote: > On 4/24/10 4:42 PM, Wang, Mary Y wrote: > >> Crypto, >> >> Thanks for the info on SNI. I'm currently running on httpd-2.0.46, >> therefore, SNI support is not there. The browsers support listed on that >> wiki can't support the browser versions that are offered in the company >> currently. The application is running on Redhat 3.9. >> >> Are you saying that I can request two IPs for the same server? I'd need >> to contact our admin over here. I am not sure if we can request a wildcard >> cert either. >> >> If I just request another SSL cert for the second site (not doing any of >> methods that you listed below), does Apache would still use the default SSL >> cert for the main site? The user would still get that warning? Is that what >> you are saying? >> >> Please advise. >> > > Mary, you've got a few options here. > > 1) Upgrade your server and run SNI even though most sys admins refuse to > run it. Not likely going to be your pick. > 2) Add an IP number to your server and run multiple IPs, allowing you to > set up traditional IP based SSL hosting. You have to do 1 IP per SSL cert if > you do this. This is an IP on the server. So, you'll configure the server to > take an extra IP and then add the IP to the configuration for the SSL Apache > config. > 3) Run a unified multi-domain SSL certificate. You'll have to buy a new > certificate from someone who sells a unified certificate. It means you can > run multiple domains on the same IP, each with different domain names, but > hosted on the same IP. Some call this a "wildcard" SSL cert. But, typical > wildcard SSL certs are meant for X.domain.com and not X.com and Y.com. > You'll want a cert where you can assign multiple domains to the single cert. > > Most host providers will sell you an IP for this purpose, if it's an actual > physical server. If it's ephemeral (cloud hosting), that's likely not an > option. > > You can not run multiple domain certificates without either IP based SSL > configuration or SNI. IP based SSL certificates will apply the first > certificate it finds in the configuration. The second is an error, or > superfluous. It's actually a broken configuration and you should receive an > apachectl configtest error message if you test the configuration. > > -- > > Jason A. Nunnelley > +1 2562971652 > > http://www.google.com/profiles/imjasonn > > [Member Tekany, LLC] > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
