On Mon, 2006-01-23 at 18:46 -0500, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Monday, January 23, 2006 6:23 PM To: CentOS ML Subject: Re: [CentOS] Self-signed certificates
On Mon, 2006-01-23 at 18:16 -0500, Jim Perrin wrote:
Hmmm. I'll give that a try. Not really interested in the error about being 'self-signed' (issuing authority) but just
want the name
to be right and the security to be there.
Will try and let you know.
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Note the line near the top that says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." And also http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
The first just says you can't. the second provides a more detailed reason. The way I gave you is really the only way to
accomplish what
you're doing with mod_ssl etc.
I spent much time around trying to figure out a way to do this ... only way I found ... do it by IP ... each SSL cert needs to be on a different IP
You maybe correct but up to a month or so ago I wasn't able to even get SSL working on more than one virtual domain at a time. The certificate may have the wrong name but it is working.
How do you do shared certificate?
Here is the problem ... the headers come in ... they are encrypted. They have to be decrypted to read them. At this point, the machine doesn't know which certificate to use, so it uses the default one.
Once the header is decrypted, now it can go to the correct website, but it only uses the default certificate.
If you want to have a separate certificate, you must either have a separate IP address or a separate port so that the machine can know what certificate to use while the header is still encrypted ...