You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Michael Ni <mi...@gmail.com> on 2010/04/22 00:48:28 UTC

[users@httpd] multiple SSL on one computer - IP

i have a situation where I have only one computer (one IP) with
2 virtual hosts

one virtual host is static.foobar.com

one virtual host is www.foobar.com

both have separate ssl certs registered to the corresponding domain.

i tried putting SSL in each but apache is using the first one registered.

How can I get this to work without need another computer?

[users@httpd] Re: multiple SSL on one computer - IP

Posted by LuKreme <kr...@kreme.com>.

On 21-Apr-2010, at 16:48, Michael Ni wrote:
> 
> i have a situation where I have only one computer (one IP) with
> 2 virtual hosts
> 
> one virtual host is static.foobar.com
> 
> one virtual host is www.foobar.com
> 
> both have separate ssl certs registered to the corresponding domain.
> 
> i tried putting SSL in each but apache is using the first one registered.
> 
> How can I get this to work without need another computer?

Only one cert can be bound to a specific IP, at least if you want to be fully compatible. There are some ways to have multiple certs, but anyone with IE or an older browser will fail to get the right cert.

-- 
Vernon: Now this is the thought that wakes me up in the middle of the night.
That when I get older, these kids are going to take care of me Carl: I wouldn't
count on it.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Crypto Sal <cr...@gmail.com>.

  On 04/22/2010 04:22 AM, Tom Evans wrote:
> More to the point, show me one major commercial deployment actually using SNI.

Google.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] multiple SSL on one computer - IP

Posted by Samuel Fuchs <sa...@unycom.com>.

As far as I know there is also the possibility to use a different port for the second vhost. But in this case you will always have to type the port in your address field (e.g. https://nameof.some.host:9443).

-----Original Message-----
From: Tom Evans [mailto:tevans.uk@googlemail.com] 
Sent: Donnerstag, 22. April 2010 10:22
To: users@httpd.apache.org
Subject: Re: [users@httpd] multiple SSL on one computer - IP

On Thu, Apr 22, 2010 at 1:25 AM, Crypto Sal <cr...@gmail.com> wrote:
>  On 04/21/2010 08:11 PM, Tom Evans wrote:
>>
>> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com>  wrote:
>>>
>>> i have a situation where I have only one computer (one IP) with
>>> 2 virtual hosts
>>>
>>> one virtual host is static.foobar.com
>>>
>>> one virtual host is www.foobar.com
>>>
>>> both have separate ssl certs registered to the corresponding domain.
>>>
>>> i tried putting SSL in each but apache is using the first one registered.
>>>
>>> How can I get this to work without need another computer?
>>>
>>>
>>>
>> You won't need another computer, but you will need another IP address
>> if you wish to support IE. Sorry, its how it works.
>>
>> Cheers
>>
>> Tom
>
>
> Tom,
>
> That's misleading information. Windows Vista and greater DO support SNI
> (Server Name Indication) and since those Operating Systems do support SNI,
> so does IE. Since most other browser vendors make use of non-MSFT(usually a
> form of OpenSSL) crypto, they usually are fine and have been fine for years.
>
> There is also the possibility of using a Wildcard Certificate as well if the
> Doman Name structure is similar.
>
> --Sal

No, it isn't. If you wish to support IE 6 or 7, chrome or safari on
windows XP - which is a huge, enormous section of the browser
population - then you cannot use SNI. Trying to say otherwise just
because YOU only use firefox is what is misleading.

More to the point, show me one major commercial deployment actually using SNI.

The OP also indicated that he had already purchased his certificates,
thus precluding wildcard domains. It is much cheaper (by far!) to get
an additional IP than it is to purchase a new wildcard certificate.

So, yes, very clever to note SNI, however it is not a reliable
solution for ~40% of users on the internet.

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Tom Evans <te...@googlemail.com>.

On Thu, Apr 22, 2010 at 1:25 AM, Crypto Sal <cr...@gmail.com> wrote:
>  On 04/21/2010 08:11 PM, Tom Evans wrote:
>>
>> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com>  wrote:
>>>
>>> i have a situation where I have only one computer (one IP) with
>>> 2 virtual hosts
>>>
>>> one virtual host is static.foobar.com
>>>
>>> one virtual host is www.foobar.com
>>>
>>> both have separate ssl certs registered to the corresponding domain.
>>>
>>> i tried putting SSL in each but apache is using the first one registered.
>>>
>>> How can I get this to work without need another computer?
>>>
>>>
>>>
>> You won't need another computer, but you will need another IP address
>> if you wish to support IE. Sorry, its how it works.
>>
>> Cheers
>>
>> Tom
>
>
> Tom,
>
> That's misleading information. Windows Vista and greater DO support SNI
> (Server Name Indication) and since those Operating Systems do support SNI,
> so does IE. Since most other browser vendors make use of non-MSFT(usually a
> form of OpenSSL) crypto, they usually are fine and have been fine for years.
>
> There is also the possibility of using a Wildcard Certificate as well if the
> Doman Name structure is similar.
>
> --Sal

No, it isn't. If you wish to support IE 6 or 7, chrome or safari on
windows XP - which is a huge, enormous section of the browser
population - then you cannot use SNI. Trying to say otherwise just
because YOU only use firefox is what is misleading.

More to the point, show me one major commercial deployment actually using SNI.

The OP also indicated that he had already purchased his certificates,
thus precluding wildcard domains. It is much cheaper (by far!) to get
an additional IP than it is to purchase a new wildcard certificate.

So, yes, very clever to note SNI, however it is not a reliable
solution for ~40% of users on the internet.

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Jason Nunnelley <ja...@jasonn.com>.

> does anyone else have a better solution? besides using SNI

The fastest easiest way to do is is a shared SSL certificate. I've used 
Digicert's unified cert to solve this very problem.

-- 

Jason A. Nunnelley
+1 2562971652

http://www.google.com/profiles/imjasonn

[Member Tekany, LLC]


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Michael Ni <mi...@gmail.com>.

l i got it working with
using multiple address records,
having a certain subdomain host point to a different ip

then on my server, have 2 ips
and using ip based virtual host

kinda annoying, feels like a waste of IP

does anyone else have a better solution? besides using SNI



On Wed, Apr 21, 2010 at 5:25 PM, Crypto Sal <cr...@gmail.com> wrote:

>  On 04/21/2010 08:11 PM, Tom Evans wrote:
>
>> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com>
>>  wrote:
>>
>>> i have a situation where I have only one computer (one IP) with
>>> 2 virtual hosts
>>>
>>> one virtual host is static.foobar.com
>>>
>>> one virtual host is www.foobar.com
>>>
>>> both have separate ssl certs registered to the corresponding domain.
>>>
>>> i tried putting SSL in each but apache is using the first one registered.
>>>
>>> How can I get this to work without need another computer?
>>>
>>>
>>>
>>>  You won't need another computer, but you will need another IP address
>> if you wish to support IE. Sorry, its how it works.
>>
>> Cheers
>>
>> Tom
>>
>
>
> Tom,
>
> That's misleading information. Windows Vista and greater DO support SNI
> (Server Name Indication) and since those Operating Systems do support SNI,
> so does IE. Since most other browser vendors make use of non-MSFT(usually a
> form of OpenSSL) crypto, they usually are fine and have been fine for years.
>
> There is also the possibility of using a Wildcard Certificate as well if
> the Doman Name structure is similar.
>
> --Sal
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Crypto Sal <cr...@gmail.com>.

  On 04/21/2010 08:11 PM, Tom Evans wrote:
> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com>  wrote:
>> i have a situation where I have only one computer (one IP) with
>> 2 virtual hosts
>>
>> one virtual host is static.foobar.com
>>
>> one virtual host is www.foobar.com
>>
>> both have separate ssl certs registered to the corresponding domain.
>>
>> i tried putting SSL in each but apache is using the first one registered.
>>
>> How can I get this to work without need another computer?
>>
>>
>>
> You won't need another computer, but you will need another IP address
> if you wish to support IE. Sorry, its how it works.
>
> Cheers
>
> Tom


Tom,

That's misleading information. Windows Vista and greater DO support SNI 
(Server Name Indication) and since those Operating Systems do support 
SNI, so does IE. Since most other browser vendors make use of 
non-MSFT(usually a form of OpenSSL) crypto, they usually are fine and 
have been fine for years.

There is also the possibility of using a Wildcard Certificate as well if 
the Doman Name structure is similar.

--Sal

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Tom Evans <te...@googlemail.com>.

On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni <mi...@gmail.com> wrote:
> i have a situation where I have only one computer (one IP) with
> 2 virtual hosts
>
> one virtual host is static.foobar.com
>
> one virtual host is www.foobar.com
>
> both have separate ssl certs registered to the corresponding domain.
>
> i tried putting SSL in each but apache is using the first one registered.
>
> How can I get this to work without need another computer?
>
>
>
You won't need another computer, but you will need another IP address
if you wish to support IE. Sorry, its how it works.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Jason Nunnelley <ja...@jasonn.com>.

Blah! I guess a link would be nice: 
http://www.digicert.com/unified-communications-ssl-tls.htm

On 4/21/10 8:55 PM, Jason Nunnelley wrote:
> There are probably competing, if not free, methods of achieving the 
> same end. If you need a branded cert, this is a good company. I 
> endorse them and I'm not a reseller :) Maybe I should be. But, they 
> helped me out of a bind more than once and it's a great solution for 
> cloud or ephemeral server SSL solutions.
>

-- 

Jason A. Nunnelley
+1 2562971652

http://www.google.com/profiles/imjasonn

[Member Tekany, LLC]


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] multiple SSL on one computer - IP

Posted by Jason Nunnelley <ja...@jasonn.com>.

There are probably competing, if not free, methods of achieving the same 
end. If you need a branded cert, this is a good company. I endorse them 
and I'm not a reseller :) Maybe I should be. But, they helped me out of 
a bind more than once and it's a great solution for cloud or ephemeral 
server SSL solutions.

-- 

Jason A. Nunnelley
+1 2562971652

http://www.google.com/profiles/imjasonn

[Member Tekany, LLC]


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org