On Fri, Sep 07, 2007 at 01:06:29PM +0200, admin@??? wrote:
> Hello Michiel,
>
> > Yes, that what I mean. They resolve to 1 IP address. Something like
> > Apache with virtual domains.
>
> Well, you can't use certs/SSL for virtual hosts sharing the same IP
> address in Apache either.
>
> That is bc of "catch 22" problem: the requested hostname for vhost is
> located in HTTP request that is encapsulated in SSL packet, while
> without the hostname the webserver doesn't know which vhost config it
> needs to use (see SSL FAQ). Hence, if you want to use SSL, it's only
> one website per IP address.
>
> > It can see the hostname the user used to
> > connect to the server, although I think that's part of the HTTP protocol
> > though.
>
> ..which is encapsulated inside the SSL. Apparently you hit the same
> problem with email as the Web developers hit with vhost/SSL
> combination earlier. Solution for email is probably the same as for
> the web: one cert per one IP address.
Well, TLS and SNI solves it. It looks pretty simple - during TLS
handshake client tells server which vhost it want to connect to, and
based on this information, server can choose proper certificate.
This is not widelu used, mostly due to lack of solid implementation -
apache's mod_ssl does not support it yet. On the other hand there is
mod_gnutls which does provide support for SNI and TLS, and it works
(tested myself). Yet there is a catch - it is not production-ready yet
(experimental - as author claim).
Opera, Firefox and Internet Explorer seem to support TLS/SNI, Konqueror doesn't.
I am wondering if this technology - if implmented - could be used in
SMTP - STARTTLS probably won't work - as at this momoentu MTA doesn't
have proper information. But what about SNI?
--
http://www.mysza.eu.org/ | Everybody needs someone sure, someone true,
PLD Linux developer | Everybody needs some solid rock, I know I do.