[Devel] Re: [Users] TLS setup

Klaus Darilion klaus.mailinglists at pernau.at
Tue Oct 11 09:22:16 CEST 2005


Dan Pascu wrote:
> On Tuesday 11 October 2005 01:25, Cesc wrote:
> 
>>Hi,
>>see inline ...
>>
>>On 10/10/05, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
>>
>>>Hi Juha,
>>>
>>>not sure, but maybe the certificated to be used should be selected
>>>based on the domain advertised in the received certificate. Like if
>>>you received a certificated advertising server1.com
>>><http://server1.com>, you should use the
>>>client/server certificated you have with that domain....
>>
>>it just would not work.
>>When you are dialing out you already know the cert you want to use
>>(let's assume that you can select the cert when doing multidomain). In
>>tls handshake, you are the client ... but the server must send its cert
>>FIRST ... thus, me, as the receiving proxy (serving multi-domain), have
>>no idea who you are, so i should provide you with my host cert (not the
>>cert of the domain i am serving). I just checked the behavior of the
>>web server which hosts my web domain and it does actually that (it
>>presents me with its host certificate) and the browser pops a warning
>>telling me that the cert subject and/or cn does not match my requested
>>domain ...
> 
> 
> In Apache you can configure a different certificate for each virtual 
> address, so each cert data matches the corresponding virtual domain.
> Then the browser won't warn you about name mismatches.
> 
> The question is how does apache know which cert to present you, since at 
> the tls negotiation level it doesn't yet know the virtual web address you 
> are requesting.

Apache uses a dedicated socket (IP address or port) for each hosted SSL 
domain.

regards
klaus

> 
> 
>>In ser, this could be dealt at the config level, 
>>automatically, provided some module provides this functionality ...
>>
>>Regards,
>>
>>Cesc
> 
> 




More information about the Devel mailing list