[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Managing SSL certificates

Olaf van der Spek wrote:
> On 10/15/05, Peter Palfrader <weasel@debian.org> wrote:
>>We can't know all the names that people will use to refer to your
>>server, so this is one of the cases where you have to do stuff manually
>>anyway.

> AFAIK there's an extension to HTTP to allow multiple TLS vhosts on one
> host:port. In that case, there's no need to manually ask for the
> common name for the certificate.
> I hope the same is done for TLS in general but if not, at least
> individual protocols should support this.
No. This may work with STARTTLS-type protocols where protocol data is
exchanged before the TLS handshake, but not https. However, there is a
certificate spec extension allowing multiple vhosts. I've had some
success with that, but they've been a pain to create and I have doubts
about how widely this is supported in clients.

IMHO, Peter's suggestion is an appropriate solution to the actual
problem with packaging which is providing a sane default.

Kind regards

T.

-- 
Thomas Viehmann, http://thomas.viehmann.net/
Reply to: