Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 62314 invoked from network); 8 Apr 2007 19:43:42 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Apr 2007 19:43:42 -0000 Received: (qmail 2542 invoked by uid 500); 8 Apr 2007 19:43:42 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 2469 invoked by uid 500); 8 Apr 2007 19:43:42 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 2458 invoked by uid 99); 8 Apr 2007 19:43:42 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 08 Apr 2007 12:43:42 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of rea-asf@codelabs.ru designates 144.206.177.45 as permitted sender) Received: from [144.206.177.45] (HELO pobox.codelabs.ru) (144.206.177.45) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 08 Apr 2007 12:43:35 -0700 DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=PUPcAWLzWR/XFJU9vkBhOHexKv6VGDQLKUnVfgQawFsMPsHF4EWjKlviTW+P8gIGk+Iae8dH0FaZa6O4vSQMnq8iFe/gAGf1NFdNFof3VhZ31l3nTF15ZAzRrJokgwicbaeo/EwttH5NSDXekRd4GVxTcxK/L73JjquH8huBN8I=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HadI7-0003s7-Vh for dev@httpd.apache.org; Sun, 08 Apr 2007 23:43:12 +0400 Date: Sun, 8 Apr 2007 23:43:07 +0400 From: Eygene Ryabinkin To: dev@httpd.apache.org Message-ID: <20070408194307.GA12909@codelabs.ru> References: <46192AF9.9080200@esuna.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <46192AF9.9080200@esuna.co.uk> Sender: rea-asf@codelabs.ru Subject: Re: Redundant SSL virtual host warnings? X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-2.5 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_20 Good day! Sun, Apr 08, 2007 at 06:48:41PM +0100, Jay L. T. Cornwall wrote: > Virtual hosts and SSL don't mix. Or so people say, for the simple reason > that in order to reach the HTTP negotiation an SSL connection must be > established first with a certificate/key pair. > > If you give it a try, Apache fills its log with the "SSL server IP/port > conflict" and "You should not use name-based virtual hosts in > conjunction with SSL" warnings. But since the adoption of wildcard SSL > certificates virtual hosts over SSL work just fine because the same > certificate/key pair is used for all of them. I can add that if you're using subjectAltName extension and place many DNS names into it, this will do the trick for the name-based virtual hosts. In the presence of the subjectAltName with the DNS entries in it, the DNS name of the server SHOULD (if memory servers me right: I am not able to find the reference document now) be checked against the subjectAltName components. At least IE/Mozilla/Firefox/OpenLDAP/curl/elinks are doing these checks. It is a bit different from the wildcard certificates, since no wildcards are here, just the bunch of the dNSName objects in the subjectAltName. -- Eygene