Hi all,

Wim Sturkenboom wrote:

> 1)
> Originally I had a couple of websites with ssl (https), each site with
> its own ip-address and its own certificate. In an attempt to save on
> IP-addresses, I thought that subdomains and a wildcard certificate would
> allow me to use one ip-address (and therefore name-based virtual
> hosting).
> Is this the correct assumption? If it's correct, please read on. If this
> is not correct, what to do to get it working?


It will not work. An SSL connection has to be completely
established before content is transmitted (which seems
logical: First do authentication and do a key exchange
to enable encryption, then send data over this encrypted
and authenticated channel). The way name-based virtual
hosts work is: The name of the requested server is
written in the HTTP header which is transmitted after
the connection establishment. The only thing that is
available at SSL handshake is the IP-address (which
may even be used by the client to do a reverse lookup and
compare the DNS name with what is written in the certificate.
So: multiple name-based virtual hosts with SSL will not
work.

For the second question: I am not sure how Apache handles
this but I am pretty sure, that some browsers do not accept
wildcard certificates, they require a complete match of
the full DNS name (I think InternetExplorer still accepts
wildcards). It may be that OpenSSL (and therefore all
OpenSSL based applications) do not accept wildcard
certificates... The wildcard thing is a bit of a "don't do
that": What kind of authentication do you achieve if
wildcards are allowed? In the times when wildcard certificates
were quite common, there were some rules where in the
DNS names the wildcards were allowed (eg nothing like
"www.mydomain.*" or even not "*.*" etc), but my feeling
is: No exceptions from the simplest rule: always use a
correct certificate for the correct host.

Yes, I know, of course it would come in handy to use only
one IP address and have always the same (wildcard) certificate
for all name-based virtual hosts. But it's not "good style".

Cheers, Olaf

--

Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET
Senior Researcher, www.intrusion-lab.net
PKI - and IDS - Services olaf.gellert@intrusion-lab.net

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org