Re: [Exim] Multiple SSL certificates

Top Page
Delete this message
Reply to this message
Author: Mike Richardson
Date:  
To: Tony Finch
CC: exim-users
Subject: Re: [Exim] Multiple SSL certificates
On Mon, Oct 27, 2003 at 10:05:36AM +0000, Tony Finch wrote:
> Mike Richardson <doctor@???> wrote:
> >
> >Unless there is a variable in exim which stores the hostname which the
> >client is configured to connect to (reverse IP lookup doesn't help), as
> >opposed to the hostname of the machine it is connected to, then
> >unfortunately this doesn't help.
>
> SMTP doesn't allow the server to find out what the client thinks
> the server's name is, which is necessary for multiple certificates to
> work. You have to have a separate IP address for each name, and choose the
> certificate to present based on the address. This is a problem with almost
> all TLS implementations -- in fact it's one of the classic https FAQs.


In our case we're using round robin DNS to pick from two machines.
So securemail.man.ac.uk is either 130.88.200.46 or .47. So in your
scenario I'd have to add another IP address to each machine and set
up another RRDNS entry? Also I'd need the appropriate reverse lookup
table on each machine?

I suppose that the alternative for us is to use one machine for each TLS
domain, although this would remove any resilience from the system.

Thanks,

Mike
--
-----Plain text only please - attachments stripped on arrival.------
Copyright 2003       Mike Richardson, Room G98, Manchester Computing
University of Manchester, M13 9PL     doctor@???    Int: 56009
Left through main doors.         Right then left at end of corridor.
First door on left.   URL http://kira.mcc.ac.uk/  Ext: 0161 275 6009
--------------------------------------------------------------------
"If I want your opinion, I'll **** it out of you!" - Chuck Norris
"If anything happens to my daughter I have a ** and ******" Clueless