Roxen Mailing List Mirror

roxen.lists.roxen.general

Subject	Author	Date
Re: Roxen and SSL	Velpi <velpi[at]industria[dot]be>	20-01-2009
Use the SSL SAN extension (Subject Alternative Name): one SSL certificate for multiple 'common names'. Of course your (commercial) CA needs to support this. (eg http://www.verisign.com/ssl/buy-ssl-certificates/subject-alternative-name-certificates/index.html) this is why: 1) TCP/IP connection setup: SSL handshake using THE certificate 2) encrypted HTTP connection setup: contains HTTP 1.1 'HOST' header for virtual hosting .... The data that provides the virtual host functionality (from HTTP v1.1) is sent AFTER the encrypted connection is setup. So there is no ways any webserver can choose which certificate it should use on one TCP socket (IP+port combination), it can only use 1 for every connection to that socket. --Velpi Bertrand LUPART wrote: > Hello, > >> I currently have 2 virtual servers in Roxen. Both using SSL. >> https://www.foo.com and >> https://www.example.com. >> >> Now I've created a SSL key file, and did a signing >> request for www.foo.com, which works excellent. >> >> Then I've created a signing request for www.example.com, and >> added the certificate to the (I don't get why) global list >> under ports. >> >> So now I see a list with certificates, >> one for www.example.com and one for www.foo.com. The problem now >> is, that roxen always chooses the top one certificate. So >> if I connect to either virtual, the top one is chosen which >> causes the client in one of both virtual servers to >> warn about not being the right certificate. >> >> Now It may be just me, but why is even the ssl-keyfile global, >> and not seperate for each virtual server? >> >> And in short term, how can I use different certificates for different >> virtual servers? > > We had a similar discussion on the Caudium mailing list and currently > trying to solve the same problem: > > <http://thread.gmane.org/gmane.comp.web.server.caudium.devel/524/focus=5 > 52> > (when the subject changes to "HTTPS virtual hosts") > > Let us know what works/doesn't work for you. > -- /--------------------------------------------- \| Jan "Velpi" Van der Velpen \| <Velpi[at]industria.be> \|\| +32 (0) 498 61 24 89 \---------------------------------------------

Subject

Author

Date

Velpi <velpi[at]industria[dot]be>

20-01-2009

Use the SSL SAN extension (Subject Alternative Name): one SSL 
certificate for multiple 'common names'. Of course your (commercial) CA 
needs to support this. (eg 
http://www.verisign.com/ssl/buy-ssl-certificates/subject-alternative-name-certificates/index.html)

this is why:
1) TCP/IP connection setup: SSL handshake using *THE* certificate
2) encrypted HTTP connection setup: contains HTTP 1.1 'HOST' header for 
virtual hosting
....

The data that provides the virtual host functionality (from HTTP v1.1) 
is sent AFTER the encrypted connection is setup. So there is no ways any 
webserver can choose which certificate it should use on one TCP socket 
(IP+port combination), it can only use 1 for every connection to that 
socket.

--Velpi

Bertrand LUPART wrote:
> Hello,
> 
>> I currently have 2 virtual servers in Roxen. Both using SSL.
>> https://www.foo.com and
>> https://www.example.com.
>>
>> Now I've created a SSL key file, and did a signing
>> request for www.foo.com, which works excellent.
>>
>> Then I've created a signing request for www.example.com, and
>> added the certificate to the (I don't get why) global list
>> under ports. 
>>
>> So now I see a list with certificates,
>> one for www.example.com and one for www.foo.com. The problem now
>> is, that roxen always chooses the top one certificate. So 
>> if I connect to either virtual, the top one is chosen which
>> causes the client in one of both virtual servers to
>> warn about not being the right certificate.
>>
>> Now It may be just me, but why is even the ssl-keyfile global,
>> and not seperate for each virtual server?
>>
>> And in short term, how can I use different certificates for different
>> virtual servers?
> 
> We had a similar discussion on the Caudium mailing list and currently
> trying to solve the same problem:
> 
> <http://thread.gmane.org/gmane.comp.web.server.caudium.devel/524/focus=5
> 52>
> (when the subject changes to "HTTPS virtual hosts")
> 
> Let us know what works/doesn't work for you.
> 

-- 
/---------------------------------------------
| Jan "Velpi" Van der Velpen
| <Velpi[at]industria.be> || +32 (0) 498 61 24 89
\---------------------------------------------

Roxen & Pike List Archives

roxen.lists.roxen.general