[SATLUG] Apache with 1 IP, two SSL sites, different ports

Brad Knowles brad at shub-internet.org
Thu May 21 12:45:16 CDT 2009


on 5/21/09 12:27 AM, Bruce Dubbs said:

> I haven't been following this closely, but it makes no sense for a cert 
> to be tied to an ip address.  It does make sense to be tied to a domain 
> name.  I know that openssl does not require a domain name when 
> generating a cert.  If it's a self signed cert (aka a certificate 
> authority), it certainly doesn't make sense to tie this to an ip address.

The problem is that the SSL certificate is sent before the client makes 
the request, so if you have more than one SSL certificate for a given IP 
address, the server won't know which cert to send.  Once the client gets 
the SSL cert, it can compare the domain in the cert against the domain 
claimed by the webserver, and issue a warning or error as appropriate.

Google for "one IP per ssl cert".

> So it's an apache/ssl issue.  Some googling gives:
> 
> http://www.debian-administration.org/article/Setting_up_an_SSL_server_with_Apache2 
> 
> http://www.stombi.net/blog/post/2005/07/14/30-apache2-multiple-ssl-virtual-hosts 
> 
> 
> Which explain the issue more.

Indeed, we are in violent agreement.  ;-)

-- 
Brad Knowles
<brad at shub-internet.org>        If you like Jazz/R&B guitar, check out
LinkedIn Profile:                 my friend bigsbytracks on YouTube at
<http://tinyurl.com/y8kpxu>    http://preview.tinyurl.com/bigsbytracks


More information about the SATLUG mailing list