----- "Grant" <emailgrant@xxxxxxxxx> wrote: > >> I need to set up SSL certificates for multiple domain names on a > >> single server. ÂI've done some research and I think these are my > >> options: > >> > >> 1. use multiple IPs > >> drawbacks: requires separate apache2 config for each SSL domain, > extra > >> IPs must be allocated by the hosting company > >> > >> 2. use multiple ports > >> drawbacks: requires separate apache2 & firewall config for each > SSL > >> domain, port numbers look weird in the URL > >> > >> 3. Server Name Indication > >> drawbacks: browser support is not widespread enough yet > >> > >> 4. X.509 v3 with subjectAltName > >> drawbacks: ??? > >> > >> Are there other options? ÂAre there drawbacks to relying on X.509 > v3 > >> with subjectAltName, or is that the way to go? > > > > Options 1) and 2) don't require seperate apache2 configs. You can > have > > apache listen to multiple IPs or Ports. Just add the necessary > > "Listen" statements to your config, and than a virtualhost for each > > SSL host. > > > > Personally I think that until SNI adoption gets more widespread the > > best option is 1) if you have the IPs to spare, as it doesn't have > any > > more config overhead than the other options and is going to work as > > expected. > > > > > > Krist > > Thanks Krist. > > The "virtualhost for each SSL host" is what I mean by separate > apache2 > configs. I'd like to be able to define different domain names on the > fly within my perl scripts without changing apache2 config. Maybe > we're just not there yet? You can also use things like mod_macro to enable that kind of flexibility. > Why would you use multiple IPs instead of X.509 v3 with > subjectAltName? Does subjectAltName have any drawbacks? Though more widely spread, it's the same as for SNI: It's not supported by all Browsers/libraries One example that comes to my mind is serf. > - Grant > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|