[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Managing SSL certificates

On 10/15/05, Thomas Viehmann <tv@beamnet.de> wrote:
> Olaf van der Spek wrote:
> > On 10/15/05, Peter Palfrader <weasel@debian.org> wrote:
> >>We can't know all the names that people will use to refer to your
> >>server, so this is one of the cases where you have to do stuff manually
> >>anyway.
>
> > AFAIK there's an extension to HTTP to allow multiple TLS vhosts on one
> > host:port. In that case, there's no need to manually ask for the
> > common name for the certificate.
> > I hope the same is done for TLS in general but if not, at least
> > individual protocols should support this.
> No. This may work with STARTTLS-type protocols where protocol data is
> exchanged before the TLS handshake, but not https. However, there is a

Isn't that exactly what the HTTP extension is about?

> certificate spec extension allowing multiple vhosts. I've had some
> success with that, but they've been a pain to create and I have doubts
> about how widely this is supported in clients.
>
> IMHO, Peter's suggestion is an appropriate solution to the actual
> problem with packaging which is providing a sane default.
Reply to: