Re: Managing SSL certificates
On 10/15/05, Thomas Viehmann <email@example.com> wrote:
> Olaf van der Spek wrote:
> > On 10/15/05, Peter Palfrader <firstname.lastname@example.org> wrote:
> >>We can't know all the names that people will use to refer to your
> >>server, so this is one of the cases where you have to do stuff manually
> > AFAIK there's an extension to HTTP to allow multiple TLS vhosts on one
> > host:port. In that case, there's no need to manually ask for the
> > common name for the certificate.
> > I hope the same is done for TLS in general but if not, at least
> > individual protocols should support this.
> No. This may work with STARTTLS-type protocols where protocol data is
> exchanged before the TLS handshake, but not https. However, there is a
Isn't that exactly what the HTTP extension is about?
> certificate spec extension allowing multiple vhosts. I've had some
> success with that, but they've been a pain to create and I have doubts
> about how widely this is supported in clients.
> IMHO, Peter's suggestion is an appropriate solution to the actual
> problem with packaging which is providing a sane default.