Dan Carl wrote:
I have two Apache servers behind a firewall with one public IP. I want to run SSL on both machines. One having a self generated certificate and other having commerial cert. The way I understand it is that because of the nature of the SSL protocol you can only have one ssl site per IP. Is there no way around this? Please someone restore my faith that with linux anything is possible.
Quit moaning about the Protocol, or implicating Linux. It's an essential design flaw, the client and server handshake a shared crypto key based on their individual temporary/permanant credentials long before the client ever sends the server a "Host:" header. The platform (Linux) is irrelevant. Since the 90's, the Connection-Upgrade concept has been introduced, which delays SSL handshaking until after the HTTP headers are passed from the client to the server. Unfortunately for you, not one "typical" client (e.g. Browser) actually supports this. A number of devices do, e.g. ssl crypted, http proxied network printer devices. But for your typical web user? No. If you are buying a commercial cert, why do you even need a self signedcert? If it's self signed, the user gets a popup warning. If the host name doesn't match the cert's CN, then the user gets a popup warning.
Since they get the popup either way, buy a commercial cert for the official content, and use the same cert on the 'internal back end' or whatever purpose you had planned to use a self-signed cert for. Bill --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|