[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL cert per virtual host.

To: "'misc@openbsd.org'" <misc@openbsd.org>
Subject: Re: SSL cert per virtual host.
From: Richard Welty <rwelty@averillpark.net>
Date: Wed, 20 Mar 2002 09:59:53 -0500 (EST)
Content-Disposition: INLINE
References: <A1346938CA3AD311B5010090278CBC7703E14693@n031sys0.nzz.ch>

On Wed, 20 Mar 2002 15:26:54 +0100 Vazquez Javier <j.vazquez@nzz.ch> wrote:

> AFAIK it's the name that counts and not the IP. So I would say you can
> even
> use different certs on the same ip and all on port 443.

er, no.

the SSL handshaking is done before the Host header is transmitted, so the
web server can't know which certificate to use until after all the SSL
stuff is already done. it's a chicken and egg problem, and a design flaw in
HTTP of SSL.

Rescorla's book on SSL and TLS talks about this exact problem in
section 9.17. supposedly, fixing this is on the list of things that might
get done in TLSv2, when-and-if that ever happens.

richard
--
Richard Welty                                         rwelty@averillpark.net
Averill Park Networking                                         518-573-7592
              Unix, Linux, IP Network Engineering, Security

References:
- Re: SSL cert per virtual host.
  - From: Vazquez Javier <j.vazquez@nzz.ch>

Prev by Date: Re: SSL cert per virtual host.
Next by Date: Re: SSL cert per virtual host.
Prev by thread: Re: SSL cert per virtual host.
Next by thread: ifconfig aliases
Index(es):
- Date
- Thread