You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Frédéric Jolliton <ht...@frederic.jolliton.com> on 2006/03/16 12:55:45 UTC
[users@httpd] Re: Are multiple ok with wildcard cert ?
Hi Markus,
[..]
>> Again, there is no problems with this config, but I was just
>> wondering about its validity.
[..]
> Actually, having multiple HTTPS virtual hosts on the same IP address
> is not possible becasue of limitations in SSL itself.
Are you sure you read my message in details ? I presented a *working*
configuration (I'm running it on my server.)
It's possible to have several https virtual hosts on the same IP
address (on the same port), as long as the certificate's 'cn' field
match all the corresponding domain names. So you need a wildcard
certificate (and client supporting at least one '*' wildcard.) And to
be more precise, it works even without any valid 'cn' as long as the
client process https without taking care of the certificate (useless
and bad, but possible.)
I asked because I would like to know if it's fine to configure the
server as shown in my original message.
--
Frédéric Jolliton
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Are multiple ok with wildcard cert ?
Posted by Markus Mayer <my...@gmx.at>.
Then it seems I will have to find our more about the wildcard certificates,
maybe they will save me some work....
On Thursday 16 March 2006 15:49, Ryan McDonald wrote:
> Actually it is possible since a wildcard certificate is being used
>
> As long as each virtual host is valid for that certificate everything
> will work.
>
> Example wildcard certificate for *.mydomain.com
>
> and the following virtual hosts
>
> <VirtualHost *:80 *:443>
> ServerName www.mydomain.com
> ...
> </VirtualHost>
>
> <VirtualHost *:80 *:443>
> ServerName www2.mydomain.com
> ...
> </VirtualHost>
>
>
> The wildcard certificate is valid for both virtual hosts so this
> scenario will work
>
> On 16-Mar-06, at 7:48 AM, Markus Mayer wrote:
> > Hi,
> >
> > OK, I didn't make my point very well actually. Yes it works even
> > when you
> > have multiple ssl hosts on the same IP. The problem is only one
> > certificate
> > is valid, and the browser will put up a message saying something
> > like the
> > certificate is valid but not issued for this host. This is the
> > thing that
> > doesn't work that I was talking about. As for a wildcard
> > certificate, I
> > actually haven't heard of one, which of course doesn't say they
> > don't exist.
> >
> > So, to answer your question, yes, what you have will run, but it
> > doesn't
> > really make much sence, especially if you have to provide a commercial
> > solution, as I do.
> >
> > greetings from Austria
> > Markus
> >
> > On Thursday 16 March 2006 12:55, Frédéric Jolliton wrote:
> >> Hi Markus,
> >>
> >> [..]
> >>
> >>>> Again, there is no problems with this config, but I was just
> >>>> wondering about its validity.
> >>
> >> [..]
> >>
> >>> Actually, having multiple HTTPS virtual hosts on the same IP address
> >>> is not possible becasue of limitations in SSL itself.
> >>
> >> Are you sure you read my message in details ? I presented a *working*
> >> configuration (I'm running it on my server.)
> >>
> >> It's possible to have several https virtual hosts on the same IP
> >> address (on the same port), as long as the certificate's 'cn' field
> >> match all the corresponding domain names. So you need a wildcard
> >> certificate (and client supporting at least one '*' wildcard.) And to
> >> be more precise, it works even without any valid 'cn' as long as the
> >> client process https without taking care of the certificate (useless
> >> and bad, but possible.)
> >>
> >> I asked because I would like to know if it's fine to configure the
> >> server as shown in my original message.
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Are multiple ok with wildcard cert ?
Posted by Ryan McDonald <rm...@futurebrand.com>.
Actually it is possible since a wildcard certificate is being used
As long as each virtual host is valid for that certificate everything
will work.
Example wildcard certificate for *.mydomain.com
and the following virtual hosts
<VirtualHost *:80 *:443>
ServerName www.mydomain.com
...
</VirtualHost>
<VirtualHost *:80 *:443>
ServerName www2.mydomain.com
...
</VirtualHost>
The wildcard certificate is valid for both virtual hosts so this
scenario will work
On 16-Mar-06, at 7:48 AM, Markus Mayer wrote:
> Hi,
>
> OK, I didn't make my point very well actually. Yes it works even
> when you
> have multiple ssl hosts on the same IP. The problem is only one
> certificate
> is valid, and the browser will put up a message saying something
> like the
> certificate is valid but not issued for this host. This is the
> thing that
> doesn't work that I was talking about. As for a wildcard
> certificate, I
> actually haven't heard of one, which of course doesn't say they
> don't exist.
>
> So, to answer your question, yes, what you have will run, but it
> doesn't
> really make much sence, especially if you have to provide a commercial
> solution, as I do.
>
> greetings from Austria
> Markus
>
> On Thursday 16 March 2006 12:55, Frédéric Jolliton wrote:
>> Hi Markus,
>>
>> [..]
>>
>>>> Again, there is no problems with this config, but I was just
>>>> wondering about its validity.
>>
>> [..]
>>
>>> Actually, having multiple HTTPS virtual hosts on the same IP address
>>> is not possible becasue of limitations in SSL itself.
>>
>> Are you sure you read my message in details ? I presented a *working*
>> configuration (I'm running it on my server.)
>>
>> It's possible to have several https virtual hosts on the same IP
>> address (on the same port), as long as the certificate's 'cn' field
>> match all the corresponding domain names. So you need a wildcard
>> certificate (and client supporting at least one '*' wildcard.) And to
>> be more precise, it works even without any valid 'cn' as long as the
>> client process https without taking care of the certificate (useless
>> and bad, but possible.)
>>
>> I asked because I would like to know if it's fine to configure the
>> server as shown in my original message.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Are multiple ok with wildcard cert ?
Posted by Markus Mayer <my...@gmx.at>.
Hi,
OK, I didn't make my point very well actually. Yes it works even when you
have multiple ssl hosts on the same IP. The problem is only one certificate
is valid, and the browser will put up a message saying something like the
certificate is valid but not issued for this host. This is the thing that
doesn't work that I was talking about. As for a wildcard certificate, I
actually haven't heard of one, which of course doesn't say they don't exist.
So, to answer your question, yes, what you have will run, but it doesn't
really make much sence, especially if you have to provide a commercial
solution, as I do.
greetings from Austria
Markus
On Thursday 16 March 2006 12:55, Frédéric Jolliton wrote:
> Hi Markus,
>
> [..]
>
> >> Again, there is no problems with this config, but I was just
> >> wondering about its validity.
>
> [..]
>
> > Actually, having multiple HTTPS virtual hosts on the same IP address
> > is not possible becasue of limitations in SSL itself.
>
> Are you sure you read my message in details ? I presented a *working*
> configuration (I'm running it on my server.)
>
> It's possible to have several https virtual hosts on the same IP
> address (on the same port), as long as the certificate's 'cn' field
> match all the corresponding domain names. So you need a wildcard
> certificate (and client supporting at least one '*' wildcard.) And to
> be more precise, it works even without any valid 'cn' as long as the
> client process https without taking care of the certificate (useless
> and bad, but possible.)
>
> I asked because I would like to know if it's fine to configure the
> server as shown in my original message.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org