httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] SSL certificates and virtual hosts
Date Tue, 18 Oct 2011 16:45:58 GMT
On October 18, 2011 12:27 , James Moe <jimoe@sohnen-moe.com> wrote:
>    Our website account with our ISP has one fixed IP address and allows
> a number of virtual hosts. The main site has an SSL certificate for
> secure access. I wish to add another certificate for one of the named
> virtual hosts. According to Tech Support the account only allows one
> SSL certificate per IP address.
> [...]
>    Is the claim of only one cert per IP address correct? Or have I made
> an error in the configuration?

Until relatively recently, this was a limitation of the SSL/TLS 
protocol:  the SSL handshake was completed before the client sent the 
HTTP request indicating which virtual host it was connecting to; thus, 
there was no way to know in advance which certificate should be used 
when creating the secure connection.

This problem was solved with Server Name Indication (see 
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI ).   In order to 
use Server Name Indication (SNI), you need to be running Apache HTTP 
Server 2.2.12 or later with OpenSSL 0.9.8f or later, and your users also 
need to use web browsers that support SNI.  Microsoft Internet Explorer 
only supports SNI for version 7 and later under Windows Vista and later 
(no version of IE under Windows XP supports SNI).

If you have the ability to do SNI in both your web server and web 
browsers, instructions and examples on how to configure Apache HTTP 
Server to use multiple virtual hosts, each with their own SSL 
certificate but all sharing a single IP address, are on the page I link 
to above.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message