httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eygene Ryabinkin <rea-...@codelabs.ru>
Subject Re: Redundant SSL virtual host warnings?
Date Sun, 08 Apr 2007 19:43:07 GMT
Good day!

Sun, Apr 08, 2007 at 06:48:41PM +0100, Jay L. T. Cornwall wrote:
> Virtual hosts and SSL don't mix. Or so people say, for the simple reason
> that in order to reach the HTTP negotiation an SSL connection must be
> established first with a certificate/key pair.
> 
> If you give it a try, Apache fills its log with the "SSL server IP/port
> conflict" and "You should not use name-based virtual hosts in
> conjunction with SSL" warnings. But since the adoption of wildcard SSL
> certificates virtual hosts over SSL work just fine because the same
> certificate/key pair is used for all of them.

I can add that if you're using subjectAltName extension and place
many DNS names into it, this will do the trick for the name-based
virtual hosts. In the presence of the subjectAltName with the DNS
entries in it, the DNS name of the server SHOULD (if memory servers
me right: I am not able to find the reference document now) be
checked against the subjectAltName components. At least
IE/Mozilla/Firefox/OpenLDAP/curl/elinks are doing these checks. It
is a bit different from the wildcard certificates, since no wildcards
are here, just the bunch of the dNSName objects in the subjectAltName.
-- 
Eygene

Mime
View raw message