httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Schober <peter.scho...@univie.ac.at>
Subject Re: [users@httpd] Name virtual hosts and HTTPS
Date Sun, 22 Nov 2009 13:07:54 GMT
* Brian Mearns <mearns.b@gmail.com> [2009-11-21 18:02]:
> Only the latest Apache (2.2.14) and OpenSSL built with the
> tlsextensions options support this. It's case SNI (Server Name
> Identification), where the client can send the fully qualified domain
> name as part of the handshake process. Without this, the server has no
> way knowing which vhost the client is looking for until the
> certificate has already been presented (because the Host: HTTP request
> header is part of the encrypted payload, which can't be sent until the
> client has the cert), so it can't choose SSL options (including the
> cert file) based on host name.

Or put all vhosts in the certificate (as X.509v3 SubjectAltName
extensions) and serve up the same cert on every vhost.
How you put these in the CSR is not part of this list and depends on
your CA (some require to put all hostnames in the CN,
i.e. multi-valued CNs, others require to stick these in the v3
extension.)
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message