Re: SSL/TLS certificates with virtual domains

"Alain Spineux" <aspineux@xxxxxxxxx> · Sat, 25 Aug 2007 12:53:01 +0200

On 8/23/07, Nels Lindquist <nlindq@xxxxxxx
> wrote:
Hi, all.

I'm configuring a Cyrus IMAPD server for a number of virtual domains,
and I'm concerned about a potential issue with SSL/TLS for the virtual
hosts, which is that I can't find a way of specifying different

certificates for each virtual host.

SSL only permit one certificate per IP address (this is by design), but
TLS should be able to support one certificate per domain, but I don't know how

to do that with cyrus-imap.

Anyway what I did is to make my certificate "compatible" with all my domains.
I used the openssl option "subjectAltName" to define multiple domain per certificate.

You can find more at the end of my post on open-ssl mailing list with subject "wildcard certificate for *.*.example.com"

This work for cyrus, http, postfix ssl (also tls) connections

We strongly encourage users to use encryption, but I don't want mail
clients throwing a certificate name mismatch error every time they
connect to anything other than the default domain.

I checked the docs/man pages/FAQ but haven't found a per-domain way of

configuring different cert/key files.

I'm hoping this functionality exists, but is as yet undocumented...

I'm using version 2.3.8, if that makes any difference.

Thanks!

Nels Lindquist

----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: 
http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: 
http://asg.web.cmu.edu/cyrus/mailing-list.html

-- 
Alain Spineux
aspineux gmail com
May the sources be with you
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html