[ProgSoc] this is a test, please ignore

chris mewett chris at mewett.net
Wed Nov 19 17:01:22 EST 2008


2008/11/19 John Elliot <jj5 at jj5.net>
[..]

>
> Speaking of virtual hosting and SSL. Recently I was trying (for the
> first time) to configure Apache to host multiple virtual hosts on a
> single IP address and to have each virtual host have its own cert. In
> the end I gave up, with the understanding that it's not possible. I
> recall discovering that Apache only supports one cert per IP address. Is
> that correct, does anyone know? Is there some way (perhaps with some
> sort of front-facing proxy?) to support a scenario where I have multiple
> domain names pointing to the same IP address, having the HTTP Host
> header indicate the appropriate content to serve, and also to having a
> cert per virtual host so as to enable HTTPS for each site?
>
>
No is the simple answer.
Not to be glib, but HTTPS is HTTP in SSL(TLS).
While SSL SMTP has two modes with the option to start cleartext and switch
to SSL, the HTTP protocol doesn't have the flexibility.
What it means is that the CN in the cert has to match the Host Header.

I guess that whereas SMTP can be fixed slowly as it is server to server, the
web clients are in a bit of a catch 22: no secure site would use the "start
cleartext" secure mode when it means there will be potential customers
locked out of their product...


The 2 ways I've seen shops get around it are two different approaches to the
globbing features:
Get yourself a self-signed "*" cert, and then everyone who trusts the cert
can go to any name based virtual behind its one IP.
Or, get a wildcard cert (eg:CN is *.example.com), and you sell secure sites
as subdomains, all off the same IP/port and cert.

The downside from a security perspective (one of the downsides) is that if
an organisation buys a service from a provider using this method for say,
membership management, you end up with the main site www.example.com sending
e-mails pointing to a website at https://example.membershipmgmtco.com/ , and
your chances of managing the phishing risk get a lot harder...

Cheers,
Chris Mewett.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://progsoc.org/pipermail/progsoc/attachments/20081119/1ca20f74/attachment.htm 


More information about the Progsoc mailing list