You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michael Ni <mi...@gmail.com> on 2010/04/22 00:48:28 UTC
[users@httpd] multiple SSL on one computer - IP
i have a situation where I have only one computer (one IP) with
2 virtual hosts
one virtual host is static.foobar.com
one virtual host is www.foobar.com
both have separate ssl certs registered to the corresponding domain.
i tried putting SSL in each but apache is using the first one registered.
How can I get this to work without need another computer?
[users@httpd] Re: multiple SSL on one computer - IP
Posted by LuKreme <kr...@kreme.com>.
On 21-Apr-2010, at 16:48, Michael Ni wrote:
>
> i have a situation where I have only one computer (one IP) with
> 2 virtual hosts
>
> one virtual host is static.foobar.com
>
> one virtual host is www.foobar.com
>
> both have separate ssl certs registered to the corresponding domain.
>
> i tried putting SSL in each but apache is using the first one registered.
>
> How can I get this to work without need another computer?
Only one cert can be bound to a specific IP, at least if you want to be fully compatible. There are some ways to have multiple certs, but anyone with IE or an older browser will fail to get the right cert.
--
Vernon: Now this is the thought that wakes me up in the middle of the night.
That when I get older, these kids are going to take care of me Carl: I wouldn't
count on it.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Crypto Sal <cr...@gmail.com>.
On 04/22/2010 04:22 AM, Tom Evans wrote:
> More to the point, show me one major commercial deployment actually using SNI.
Google.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] multiple SSL on one computer - IP
Posted by Samuel Fuchs <sa...@unycom.com>.
As far as I know there is also the possibility to use a different port for the second vhost. But in this case you will always have to type the port in your address field (e.g. https://nameof.some.host:9443).
-----Original Message-----
From: Tom Evans [mailto:tevans.uk@googlemail.com]
Sent: Donnerstag, 22. April 2010 10:22
To: users@httpd.apache.org
Subject: Re: [users@httpd] multiple SSL on one computer - IP
On Thu, Apr 22, 2010 at 1:25 AM, Crypto Sal <cr...@gmail.com> wrote:
> On 04/21/2010 08:11 PM, Tom Evans wrote:
>>
>> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com> wrote:
>>>
>>> i have a situation where I have only one computer (one IP) with
>>> 2 virtual hosts
>>>
>>> one virtual host is static.foobar.com
>>>
>>> one virtual host is www.foobar.com
>>>
>>> both have separate ssl certs registered to the corresponding domain.
>>>
>>> i tried putting SSL in each but apache is using the first one registered.
>>>
>>> How can I get this to work without need another computer?
>>>
>>>
>>>
>> You won't need another computer, but you will need another IP address
>> if you wish to support IE. Sorry, its how it works.
>>
>> Cheers
>>
>> Tom
>
>
> Tom,
>
> That's misleading information. Windows Vista and greater DO support SNI
> (Server Name Indication) and since those Operating Systems do support SNI,
> so does IE. Since most other browser vendors make use of non-MSFT(usually a
> form of OpenSSL) crypto, they usually are fine and have been fine for years.
>
> There is also the possibility of using a Wildcard Certificate as well if the
> Doman Name structure is similar.
>
> --Sal
No, it isn't. If you wish to support IE 6 or 7, chrome or safari on
windows XP - which is a huge, enormous section of the browser
population - then you cannot use SNI. Trying to say otherwise just
because YOU only use firefox is what is misleading.
More to the point, show me one major commercial deployment actually using SNI.
The OP also indicated that he had already purchased his certificates,
thus precluding wildcard domains. It is much cheaper (by far!) to get
an additional IP than it is to purchase a new wildcard certificate.
So, yes, very clever to note SNI, however it is not a reliable
solution for ~40% of users on the internet.
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Apr 22, 2010 at 1:25 AM, Crypto Sal <cr...@gmail.com> wrote:
> On 04/21/2010 08:11 PM, Tom Evans wrote:
>>
>> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com> wrote:
>>>
>>> i have a situation where I have only one computer (one IP) with
>>> 2 virtual hosts
>>>
>>> one virtual host is static.foobar.com
>>>
>>> one virtual host is www.foobar.com
>>>
>>> both have separate ssl certs registered to the corresponding domain.
>>>
>>> i tried putting SSL in each but apache is using the first one registered.
>>>
>>> How can I get this to work without need another computer?
>>>
>>>
>>>
>> You won't need another computer, but you will need another IP address
>> if you wish to support IE. Sorry, its how it works.
>>
>> Cheers
>>
>> Tom
>
>
> Tom,
>
> That's misleading information. Windows Vista and greater DO support SNI
> (Server Name Indication) and since those Operating Systems do support SNI,
> so does IE. Since most other browser vendors make use of non-MSFT(usually a
> form of OpenSSL) crypto, they usually are fine and have been fine for years.
>
> There is also the possibility of using a Wildcard Certificate as well if the
> Doman Name structure is similar.
>
> --Sal
No, it isn't. If you wish to support IE 6 or 7, chrome or safari on
windows XP - which is a huge, enormous section of the browser
population - then you cannot use SNI. Trying to say otherwise just
because YOU only use firefox is what is misleading.
More to the point, show me one major commercial deployment actually using SNI.
The OP also indicated that he had already purchased his certificates,
thus precluding wildcard domains. It is much cheaper (by far!) to get
an additional IP than it is to purchase a new wildcard certificate.
So, yes, very clever to note SNI, however it is not a reliable
solution for ~40% of users on the internet.
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Jason Nunnelley <ja...@jasonn.com>.
> does anyone else have a better solution? besides using SNI
The fastest easiest way to do is is a shared SSL certificate. I've used
Digicert's unified cert to solve this very problem.
--
Jason A. Nunnelley
+1 2562971652
http://www.google.com/profiles/imjasonn
[Member Tekany, LLC]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Michael Ni <mi...@gmail.com>.
l i got it working with
using multiple address records,
having a certain subdomain host point to a different ip
then on my server, have 2 ips
and using ip based virtual host
kinda annoying, feels like a waste of IP
does anyone else have a better solution? besides using SNI
On Wed, Apr 21, 2010 at 5:25 PM, Crypto Sal <cr...@gmail.com> wrote:
> On 04/21/2010 08:11 PM, Tom Evans wrote:
>
>> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com>
>> wrote:
>>
>>> i have a situation where I have only one computer (one IP) with
>>> 2 virtual hosts
>>>
>>> one virtual host is static.foobar.com
>>>
>>> one virtual host is www.foobar.com
>>>
>>> both have separate ssl certs registered to the corresponding domain.
>>>
>>> i tried putting SSL in each but apache is using the first one registered.
>>>
>>> How can I get this to work without need another computer?
>>>
>>>
>>>
>>> You won't need another computer, but you will need another IP address
>> if you wish to support IE. Sorry, its how it works.
>>
>> Cheers
>>
>> Tom
>>
>
>
> Tom,
>
> That's misleading information. Windows Vista and greater DO support SNI
> (Server Name Indication) and since those Operating Systems do support SNI,
> so does IE. Since most other browser vendors make use of non-MSFT(usually a
> form of OpenSSL) crypto, they usually are fine and have been fine for years.
>
> There is also the possibility of using a Wildcard Certificate as well if
> the Doman Name structure is similar.
>
> --Sal
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Crypto Sal <cr...@gmail.com>.
On 04/21/2010 08:11 PM, Tom Evans wrote:
> On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni<mi...@gmail.com> wrote:
>> i have a situation where I have only one computer (one IP) with
>> 2 virtual hosts
>>
>> one virtual host is static.foobar.com
>>
>> one virtual host is www.foobar.com
>>
>> both have separate ssl certs registered to the corresponding domain.
>>
>> i tried putting SSL in each but apache is using the first one registered.
>>
>> How can I get this to work without need another computer?
>>
>>
>>
> You won't need another computer, but you will need another IP address
> if you wish to support IE. Sorry, its how it works.
>
> Cheers
>
> Tom
Tom,
That's misleading information. Windows Vista and greater DO support SNI
(Server Name Indication) and since those Operating Systems do support
SNI, so does IE. Since most other browser vendors make use of
non-MSFT(usually a form of OpenSSL) crypto, they usually are fine and
have been fine for years.
There is also the possibility of using a Wildcard Certificate as well if
the Doman Name structure is similar.
--Sal
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Tom Evans <te...@googlemail.com>.
On Wed, Apr 21, 2010 at 11:48 PM, Michael Ni <mi...@gmail.com> wrote:
> i have a situation where I have only one computer (one IP) with
> 2 virtual hosts
>
> one virtual host is static.foobar.com
>
> one virtual host is www.foobar.com
>
> both have separate ssl certs registered to the corresponding domain.
>
> i tried putting SSL in each but apache is using the first one registered.
>
> How can I get this to work without need another computer?
>
>
>
You won't need another computer, but you will need another IP address
if you wish to support IE. Sorry, its how it works.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Jason Nunnelley <ja...@jasonn.com>.
Blah! I guess a link would be nice:
http://www.digicert.com/unified-communications-ssl-tls.htm
On 4/21/10 8:55 PM, Jason Nunnelley wrote:
> There are probably competing, if not free, methods of achieving the
> same end. If you need a branded cert, this is a good company. I
> endorse them and I'm not a reseller :) Maybe I should be. But, they
> helped me out of a bind more than once and it's a great solution for
> cloud or ephemeral server SSL solutions.
>
--
Jason A. Nunnelley
+1 2562971652
http://www.google.com/profiles/imjasonn
[Member Tekany, LLC]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] multiple SSL on one computer - IP
Posted by Jason Nunnelley <ja...@jasonn.com>.
There are probably competing, if not free, methods of achieving the same
end. If you need a branded cert, this is a good company. I endorse them
and I'm not a reseller :) Maybe I should be. But, they helped me out of
a bind more than once and it's a great solution for cloud or ephemeral
server SSL solutions.
--
Jason A. Nunnelley
+1 2562971652
http://www.google.com/profiles/imjasonn
[Member Tekany, LLC]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org