Re: multiples certificates on a single server

To: debian-isp@lists.debian.org
Subject: Re: multiples certificates on a single server
From: Paul TBBle Hampson <Paul.Hampson@anu.edu.au>
Date: Tue, 30 Aug 2005 15:00:39 +1000
Message-id: <[🔎] 20050830050039.GC15285@keitarou.queanbeyan.bubblesworth.net>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 430EC94C.5090006@rock-clan.de>
References: <[🔎] 430E21F4.1040105@andromeiberica.com> <[🔎] 430EC94C.5090006@rock-clan.de>

On Fri, Aug 26, 2005 at 09:48:28AM +0200, Igor[Rock] wrote:
> Arnau schrieb:
>>    I have a doubt about how to host multiple ssl-enabled domains on a
>> single server with a single IP. I know that from a TCP point of view,
>> for each certificate it's necessary to have an IP due to how the
>> connection is stablished. Is it any way to have multiple certificates on
>> a single server and a single IP? Maybe using private IPs? Any
>> documentation where this issue is explained?

Useful documentation is available from cacert.org's wiki. [1]

As a suggestion for this, you could use mod_rewrite in Apache to catch things
that arrive at the wrong SSL-enabled site for their hostname, and
external-redirect them to the correct site, presumably on a different port.
This of course requires that the main site is trusted and controlled by the
server admin, or it could be used to steal HTTPs traffic after decoding... And
it needs it own certificiate.

> AFAIK it wasn't possible to use virtual hosts for SSL because the SSL
> handshake took place before the host header was sent - at least that
> wasn't possible until July 2005...

TLS/1.0 supports extensions, and one such extension (which gnuTLS supports [2],
for example) allows the client to tell the server which service it wants,
before negotiation gets underway.

It's in RFC3546 [3], from June 2003.

So far, the actual support for it is not widespread, sadly.  Mozilla's got a
couple of bugs open, [4] and [5], and mod_gnutls [6] is an apache2 module for
it. [1] above has a quick survey of browser support for both this TLS/1.0
extension, and other ways of doing name-based SSL virtual hosting.

[1] http://wiki.cacert.org/wiki/VhostTaskForce#head-b9d2e710d6e5796e30120e9894d6614c137d43ae
[2] http://www.gnu.org/software/gnutls/manual/html_node/TLS-Extensions.html#TLS-Extensions
[3] http://www.ietf.org/rfc/rfc3546.txt
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=116168
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=116168
[6] http://www.outoforder.cc/projects/apache/mod_gnutls/

-- 
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
8th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

License: http://creativecommons.org/licenses/by/2.1/au/
-----------------------------------------------------------

Attachment: pgpvIuBfdNUrO.pgp
Description: PGP signature

Reply to:

References:
- multiples certificates on a single server
  - From: Arnau <arnaulist@andromeiberica.com>
- Re: multiples certificates on a single server
  - From: "Igor[Rock]" <igor@rock-clan.de>

Prev by Date: Re: Debian and Plesk 7.5.3/7.5.4 Reloaded
Next by Date: Re: stolen
Previous by thread: Re: multiples certificates on a single server
Next by thread: Solution for securing PHP mail()
Index(es):
- Date
- Thread