httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Multiple SSL servers behind one public ip
Date Fri, 26 Aug 2005 19:57:33 GMT
Dan Carl wrote:
> I have two Apache servers behind a firewall with one public IP.
> I want to run SSL on both machines. One having a self generated certificate
> and other having commerial cert.
> The way I understand it is that because of the nature of the SSL protocol
> you can only have one ssl site per IP.
> Is there no way around this?
> Please someone restore my faith that with linux anything is possible.

Quit moaning about the Protocol, or implicating Linux.  It's an
essential design flaw, the client and server handshake a shared crypto
key based on their individual temporary/permanant credentials long
before the client ever sends the server a "Host:" header.  The platform
(Linux) is irrelevant.

Since the 90's, the Connection-Upgrade concept has been introduced,
which delays SSL handshaking until after the HTTP headers are passed
from the client to the server.  Unfortunately for you, not one "typical"
client (e.g. Browser) actually supports this.  A number of devices do,
e.g. ssl crypted, http proxied network printer devices.  But for your
typical web user?  No.

If you are buying a commercial cert, why do you even need a self signed
cert?  If it's self signed, the user gets a popup warning.  If the host 
name doesn't match the cert's CN, then the user gets a popup warning.
Since they get the popup either way, buy a commercial cert for the
official content, and use the same cert on the 'internal back end' or
whatever purpose you had planned to use a self-signed cert for.

Bill

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message