You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Norman Khine <no...@khine.net> on 2007/12/28 21:44:10 UTC

[users@httpd] Apache2, Vhosts and SSL

Hello,
I have several sites running from my server that have their own 
certificates, but everytime I acces the site, I get a warning telling me 
that the certificate belongs to localhost.

Can I have multiple certificates on the same IP and port 443, or do I 
have to open different ports for each SSL site?

Many thanks

Norman

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache2, Vhosts and SSL

Posted by Gregor Schneider <rc...@googlemail.com>.
Pavel,

On Dec 30, 2007 4:36 AM,  <pa...@fenix.cz> wrote:
> not exactly true, you may try to use the SNI patch that allows several
> certs on a single ip.
>
it's still true, however, maybe the statement is not complete.

TLS is pretty new, and i.e. my firefox-browser does not accept such a
cert "for an unknown reason".

Setting up the patch is quite some work with a good chance to shoot
yourself into your toe.
Check out http://www.howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch

Btw, the error-message in my Firefox-Browser (it's 2.0.0.11) appears
when pointing to the sample web-site given in the document
https://dave.sni.velox.ch/.

Besides, when patching you will have to recompile OpenSSL, meaning
future updates (such as security updates) might turn back your
changes.

Therefore, I honestly would not recommend using this patch but wait
until a stable standard ist established.

Cheers & have a great 2008!

Gregor
-- 
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache2, Vhosts and SSL

Posted by pa...@fenix.cz.
not exactly true, you may try to use the SNI patch that allows several
certs on a single ip.

regards, pavel


> you will need either different ip/port-combinations for each ssl-site
> or you can try with the so-called wildcard-certs (example.
> https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html).
> most recent browsers will support them.
>
> cheers
>
> gregor
> --
> what's puzzlin' you, is the nature of my game
> gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
> gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache2, Vhosts and SSL

Posted by Gregor Schneider <rc...@googlemail.com>.
you will need either different ip/port-combinations for each ssl-site
or you can try with the so-called wildcard-certs (example.
https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html).
most recent browsers will support them.

cheers

gregor
-- 
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org