[Devel] Re: [Users] TLS setup
Dan Pascu
dan at ag-projects.com
Tue Oct 11 08:19:14 CEST 2005
On Tuesday 11 October 2005 01:25, Cesc wrote:
> Hi,
> see inline ...
>
> On 10/10/05, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
> > Hi Juha,
> >
> > not sure, but maybe the certificated to be used should be selected
> > based on the domain advertised in the received certificate. Like if
> > you received a certificated advertising server1.com
> > <http://server1.com>, you should use the
> > client/server certificated you have with that domain....
>
> it just would not work.
> When you are dialing out you already know the cert you want to use
> (let's assume that you can select the cert when doing multidomain). In
> tls handshake, you are the client ... but the server must send its cert
> FIRST ... thus, me, as the receiving proxy (serving multi-domain), have
> no idea who you are, so i should provide you with my host cert (not the
> cert of the domain i am serving). I just checked the behavior of the
> web server which hosts my web domain and it does actually that (it
> presents me with its host certificate) and the browser pops a warning
> telling me that the cert subject and/or cn does not match my requested
> domain ...
In Apache you can configure a different certificate for each virtual
address, so each cert data matches the corresponding virtual domain.
Then the browser won't warn you about name mismatches.
The question is how does apache know which cert to present you, since at
the tls negotiation level it doesn't yet know the virtual web address you
are requesting.
> In ser, this could be dealt at the config level,
> automatically, provided some module provides this functionality ...
>
> Regards,
>
> Cesc
--
Dan
More information about the Devel
mailing list