Re: Managing SSL certificates
Olaf van der Spek wrote:
> On 10/15/05, Peter Palfrader <firstname.lastname@example.org> wrote:
>>We can't know all the names that people will use to refer to your
>>server, so this is one of the cases where you have to do stuff manually
> AFAIK there's an extension to HTTP to allow multiple TLS vhosts on one
> host:port. In that case, there's no need to manually ask for the
> common name for the certificate.
> I hope the same is done for TLS in general but if not, at least
> individual protocols should support this.
No. This may work with STARTTLS-type protocols where protocol data is
exchanged before the TLS handshake, but not https. However, there is a
certificate spec extension allowing multiple vhosts. I've had some
success with that, but they've been a pain to create and I have doubts
about how widely this is supported in clients.
IMHO, Peter's suggestion is an appropriate solution to the actual
problem with packaging which is providing a sane default.
Thomas Viehmann, http://thomas.viehmann.net/