Re: Two Name-Based Virtual Hosts : Two SSL Certificates?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

i think people have been saying SNI does not satisfy Safari browser.

the ssl warning still pops up.  can someone verify?



On Sat, Apr 24, 2010 at 3:03 PM, Jason Nunnelley <jason@xxxxxxxxxx> wrote:
On 4/24/10 4:42 PM, Wang, Mary Y wrote:
Crypto,

Thanks for the info on SNI.  I'm currently running on httpd-2.0.46, therefore, SNI support is not there. The browsers support listed on that wiki can't support the browser versions that are offered in the company currently. The application is running on Redhat 3.9.

Are you saying that I can request two IPs for the same server?  I'd need to contact our admin over here.  I am not sure if we can request a wildcard cert either.

If I just request another SSL cert for the second site (not doing any of methods that you listed below), does Apache would still use the default SSL cert for the main site? The user would still get that warning?  Is that what you are saying?

Please advise.

Mary, you've got a few options here.

1) Upgrade your server and run SNI even though most sys admins refuse to run it. Not likely going to be your pick.
2) Add an IP number to your server and run multiple IPs, allowing you to set up traditional IP based SSL hosting. You have to do 1 IP per SSL cert if you do this. This is an IP on the server. So, you'll configure the server to take an extra IP and then add the IP to the configuration for the SSL Apache config.
3) Run a unified multi-domain SSL certificate. You'll have to buy a new certificate from someone who sells a unified certificate. It means you can run multiple domains on the same IP, each with different domain names, but hosted on the same IP. Some call this a "wildcard" SSL cert. But, typical wildcard SSL certs are meant for X.domain.com and not X.com and Y.com. You'll want a cert where you can assign multiple domains to the single cert.

Most host providers will sell you an IP for this purpose, if it's an actual physical server. If it's ephemeral (cloud hosting), that's likely not an option.

You can not run multiple domain certificates without either IP based SSL configuration or SNI. IP based SSL certificates will apply the first certificate it finds in the configuration. The second is an error, or superfluous. It's actually a broken configuration and you should receive an apachectl configtest error message if you test the configuration.

--

Jason A. Nunnelley
+1 2562971652

http://www.google.com/profiles/imjasonn

[Member Tekany, LLC]



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux