httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Bakshi" <joyd...@infoservices.in>
Subject Re: [users@httpd] how to get multiple SSL with name based vhost ?
Date Tue, 01 Dec 2009 09:53:18 GMT
Boyle Owen wrote:
>> -----Original Message-----
>> From: J. Bakshi [mailto:joydeep@infoservices.in] 
>> Sent: Tuesday, December 01, 2009 8:20 AM
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] how to get multiple SSL with name 
>> based vhost ?
>>
>> ...
>>
>> Thanks for your nice explanatory  response.  The server where 
>> my apache
>> is running is based on opensuse 11.0 . Hence I don't think 
>> this box can
>> support SNI. As this is a production server I can't simply upgrade the
>> box. So I need some other alternative.
>>     
>
> Krist explained it very nicely... But maybe you still didn't get it: Without SNI, there
is NO WAY TO DO THIS. It is a fundamental limitation of the HTTPS protocol with no production-grade
work-around. SNI (server-name indication) was specifically added to address this limitation.
There is simply NO ALTERNATIVE. 
>
> Having said that, if you have a research or academic environment and don't care about
browser warnings, you can just use the same cert for all sites. You will get the encryption
aspect of HTTPS but not the authentication aspect.
>
> Alternatively, if all sites have the same domain-name (eg, sales.wibble.com, shop.wibble.com
etc), you can get a wildcard cert that certifies *.wibble.com.
>
> Aside from these special cases, there is NO WAY to have name-based SSL VHs.
>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.

Hello Owen,

Thank for your response. your assumption is correct. I am working in an
environment where the domain name is same.  Hence I am using the same
certificate. But the problem is with port.  apache complaining if it see
more name based vhost with port 443. I was using the config as below

` ` ` `
Listen 443
NameVirtualHost  example1.de:443

<VirtualHost  example1:443>
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/myca/mars-server.crt
SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
ServerName https://example1.de
ServerAlias https://example1.de

DocumentRoot /srv/www/htdocs/blevti.opendingo.de
DirectoryIndex index.php
</VirtualHost>


NameVirtualHost  example2.de:443
<VirtualHost  example2:443>
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /etc/apache2/myca/mars-server.crt
SSLCertificateKeyFile /etc/apache2/myca/mars-server.key
SSLCertificateChainFile /etc/apache2/myca/my-ca.crt
ServerName https://example2.de
ServerAlias https://example2.de

DocumentRoot /srv/www/htdocs/example2.de
DirectoryIndex index.php
</VirtualHost>
` ` ` `

but no luck

-- 
জয়দীপ বক্সী


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message