On Saturday 21 June 2008, Paschal Nee wrote:
> > From: Paul Mc Auley <lists at peema.org>
> > It is not possible to have multiple certs configured to handle SSL on a
> > given port on a given IP address.
> It seems this is incorrect. There are a few options that have been
> covered here before.
Hrm, let's see...
Colm MacCarthaigh wrote:
> 1. Use a widlcard host record in the signed cert, and you
> can virtual-host out say www.linux.ie and webmail.linux.ie
> to different locations. Works just fine.
Okay, that case doesn't apply, wildcard certs apply for *.acme.com rather
than server and server.acme.com
> 2. Use TLS server name indication (SNI), this is actually
> supported in modern browsers and puts the hostname
> negotiation in the SSL layer itself.
Is that generally available? Is it something that's in use 'out there'? What
sort of effort is involved in making the usual web server software support
it? What is the minimum version of the popular browsers required to support
> 3. Use the HTTP UPGRADE directive to initiate a TLS connection
> after supplying the Host header. This does not enjoy wide
> support in browsers, but it is support in a variety of
> other HTTP clients and is useful when building APIs and
> services that use HTTP as a transport layer.
And the discussion then goes on to save that the URI would still be http://
and talks about the encryption potentially being 'optional' which means
that while the connection may be secured Joe User doesn't necessarily get
the assurance of seeing https:// in the URL.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!