httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: SSL enabled name virtual hosts
Date Mon, 06 Mar 2006 10:25:29 GMT
> -----Original Message-----
> From: David Burry [mailto:dburry@tagnet.org] 
> Sent: Montag, 6. März 2006 11:08
> To: dev@httpd.apache.org
> Subject: Re: SSL enabled name virtual hosts
> >   
> We use a "wildcard cert" to overcome this situation... the technical 
> limitation is that all the SSL "hosts" have to end with the 
> same domain 

Absolutely. I've no doubt this indeed works - there is nothing in the protocol to prevent
it doing so. 

How did you get your wildcard cert? Did you buy it? Apparently, the cert sellers (Thwate,
Versign etc.) are not too keen on selling wildcards for the simple reason that it reduces
the number of certs required (and hence sold) - a bit like the everlasting light bulb... Was
that your experience?

My understanding is that most people using this solution are using self-signed certs and are
in a non-commercial operation. I guess a commercial vendor could use it if they wanted to
compartmentalise their trade (eg, books.amazon.com, dvds.amazon.com, software.amazon.com,
etc.)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

PS - as Nick points out, Server Name Indication is also a method to achieve SSL-NBVH but,
again, is waiting for browser support (I couldn't get it to work even with Opera 8.5 on XP
:-(



> (a wildcard cert is bound to our domain, not any individual 
> host name), 
> but otherwise we can and do indeed run hundreds (soon to be 
> thousands) 
> of customers on their own individual host names under SSL, 
> all on port 
> 443 on one instance of apache.  Unfortunately we have to do funny 
> mod_rewrite trickery to simulate NBVH instead of using real 
> NBVH....  I 
> suspect it would be a major change in Apache architecture to use real 
> NBVH in our case (but otherwise, yes, it absolutely could be 
> technically 
> possible, given the all-must-be-in-the-same-domain, and must use a 
> "wildcard cert" limitations).
> 
> Dave
> 
> 

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen-
bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature.
It is not related to the exchange or business activities of the SWX Group. Le présent e-mail
est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender's company.

Mime
View raw message