Configuring Multiple Certicates SSL over an unique IP

Hello,

There are some way to configuring the Apache Server to utilize multiple
certificates SSL, over an unique ip, once for each virtual domain ?

What the Apache configure sintax ?

Alex Moraes

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Configuring Multiple Certicates SSL over an unique IP

No. This is called name-based virtual hosting (NBVH). It works fine for
plain HTTP but is impossible under SSL.

The reason is that NBVH uses the "Host" header to find the VH. But in
SSL, the connection must be established *before* you get the Host
header. So the server cannot decide which VH to use.

Rgds,

Owen Boyle

-----Original Message-----
From: asom@vetorialnet.com.br [mailto:asom@vetorialnet.com.br]
Sent: Montag, 4. November 2002 23:20
To: modssl-users@modssl.org
Subject: Configuring Multiple Certicates SSL over an unique IP



Hello,

There are some way to configuring the Apache Server to utilize multiple
certificates SSL, over an unique ip, once for each virtual domain ?

What the Apache configure sintax ?

Alex Moraes

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Configuring Multiple Certicates SSL over an unique IP

On Tue, 5 Nov 2002 08:48:58 +0100
"Boyle Owen" wrote:

> No. This is called name-based virtual hosting (NBVH). It works fine for
> plain HTTP but is impossible under SSL.
>
> The reason is that NBVH uses the "Host" header to find the VH. But in
> SSL, the connection must be established *before* you get the Host
> header. So the server cannot decide which VH to use.

except you are using a star-certificate,

if your certificate is *.foo.bar you can use name-based virtual hosting for
following dhosts:

www.foo.bar
test.foo.bar
new.foo.bar
....
what-ever.foo.bar


>
> Rgds,
>
> Owen Boyle
>
> -----Original Message-----
> From: asom@vetorialnet.com.br [mailto:asom@vetorialnet.com.br]
> Sent: Montag, 4. November 2002 23:20
> To: modssl-users@modssl.org
> Subject: Configuring Multiple Certicates SSL over an unique IP
>
>
>
> Hello,
>
> There are some way to configuring the Apache Server to utilize multiple
> certificates SSL, over an unique ip, once for each virtual domain ?
>
> What the Apache configure sintax ?
>
> Alex Moraes
>
--
"The software said it requires Windows 95 or better,
so I installed Linux"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Configuring Multiple Certicates SSL over an unique IP

Yes indeed, although this is a rather limited case of NBVH.

-----Original Message-----
From: ueli@heuer.org [mailto:ueli@heuer.org]
Sent: Dienstag, 5. November 2002 10:08
To: modssl-users@modssl.org
Subject: Re: Configuring Multiple Certicates SSL over an unique IP


On Tue, 5 Nov 2002 08:48:58 +0100
"Boyle Owen" wrote:

> No. This is called name-based virtual hosting (NBVH). It works fine
for
> plain HTTP but is impossible under SSL.
>
> The reason is that NBVH uses the "Host" header to find the VH. But in
> SSL, the connection must be established *before* you get the Host
> header. So the server cannot decide which VH to use.

except you are using a star-certificate,

if your certificate is *.foo.bar you can use name-based virtual hosting
for
following dhosts:

www.foo.bar
test.foo.bar
new.foo.bar
....
what-ever.foo.bar


>
> Rgds,
>
> Owen Boyle
>
> -----Original Message-----
> From: asom@vetorialnet.com.br [mailto:asom@vetorialnet.com.br]
> Sent: Montag, 4. November 2002 23:20
> To: modssl-users@modssl.org
> Subject: Configuring Multiple Certicates SSL over an unique IP
>
>
>
> Hello,
>
> There are some way to configuring the Apache Server to utilize
multiple
> certificates SSL, over an unique ip, once for each virtual domain ?
>
> What the Apache configure sintax ?
>
> Alex Moraes
>
--
"The software said it requires Windows 95 or better,
so I installed Linux"
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Configuring Multiple Certicates SSL over an unique IP

I'm thinking you need to use Virtual Host directives - as others have
replied, you already know that NameVirtualHost wont help - so you need
to put each virtual host on a different IP. (or different port if no
spare IP's_).

firstly - configure your operating system to receive all the ip's you
want to use - usually via ip-aliases - something you can do in unix and
windows, but dont ask me how in windows.

an example:

your real ip is 192.168.1.2 , and you set up 192.168.1.3 as an extra alias.

I'm assuming you started with httpd.conf as provided with mod_ssl - this
should have the basic SSL configuration bits.

Then in your httpd.conf near the end, in the section,
create a VHost for each cert/ip you want.


ServerName www.cert1domain.com
SSLCertificateKeyFile conf/ssl.key/cert1.key
SSLCertificateFile conf/ssl.crt/cert1.crt
SSLEngine on
...other conf...



ServerName www.cert2domain.com
SSLCertificateKeyFile conf/ssl.key/cert2.key
SSLCertificateFile conf/ssl.crt/cert2.crt
SSLEngine on
...other conf...



asom@vetorialnet.com.br wrote:

>Hello,
>
> There are some way to configuring the Apache Server to utilize multiple
>certificates SSL, over an unique ip, once for each virtual domain ?
>
> What the Apache configure sintax ?
>
>Alex Moraes
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Configuring Multiple Certicates SSL over an unique IP

Don't forget:

Listen 192.168.1.2:443
Listen 192.168.1.3:443

-----Original Message-----
From: Peter Viertel [mailto:peter.viertel@itaction.co.uk]
Sent: Dienstag, 5. November 2002 14:17
To: modssl-users@modssl.org
Subject: Re: Configuring Multiple Certicates SSL over an unique IP


I'm thinking you need to use Virtual Host directives - as others have
replied, you already know that NameVirtualHost wont help - so you need
to put each virtual host on a different IP. (or different port if no
spare IP's_).

firstly - configure your operating system to receive all the ip's you
want to use - usually via ip-aliases - something you can do in unix and
windows, but dont ask me how in windows.

an example:

your real ip is 192.168.1.2 , and you set up 192.168.1.3 as an extra
alias.

I'm assuming you started with httpd.conf as provided with mod_ssl - this
should have the basic SSL configuration bits.

Then in your httpd.conf near the end, in the section,
create a VHost for each cert/ip you want.


ServerName www.cert1domain.com
SSLCertificateKeyFile conf/ssl.key/cert1.key
SSLCertificateFile conf/ssl.crt/cert1.crt
SSLEngine on
...other conf...



ServerName www.cert2domain.com
SSLCertificateKeyFile conf/ssl.key/cert2.key
SSLCertificateFile conf/ssl.crt/cert2.crt
SSLEngine on
...other conf...



asom@vetorialnet.com.br wrote:

>Hello,
>
> There are some way to configuring the Apache Server to utilize
multiple
>certificates SSL, over an unique ip, once for each virtual domain ?
>
> What the Apache configure sintax ?
>
>Alex Moraes
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Configuring Multiple Certicates SSL over an unique IP

How does one go about getting a star certificate?

> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> Sent: Tuesday, November 05, 2002 5:22 AM
> To: modssl-users@modssl.org
> Subject: RE: Configuring Multiple Certicates SSL over an unique IP
>
>
> Yes indeed, although this is a rather limited case of NBVH.
>
> -----Original Message-----
> From: ueli@heuer.org [mailto:ueli@heuer.org]
> Sent: Dienstag, 5. November 2002 10:08
> To: modssl-users@modssl.org
> Subject: Re: Configuring Multiple Certicates SSL over an unique IP
>
>
> On Tue, 5 Nov 2002 08:48:58 +0100
> "Boyle Owen" wrote:
>
> > No. This is called name-based virtual hosting (NBVH). It works fine
> for
> > plain HTTP but is impossible under SSL.
> >
> > The reason is that NBVH uses the "Host" header to find the
> VH. But in
> > SSL, the connection must be established *before* you get the Host
> > header. So the server cannot decide which VH to use.
>
> except you are using a star-certificate,
>
> if your certificate is *.foo.bar you can use name-based
> virtual hosting for following dhosts:
>
> www.foo.bar
> test.foo.bar
> new.foo.bar
> ...
> what-ever.foo.bar
>
>
> >
> > Rgds,
> >
> > Owen Boyle
> >
> > -----Original Message-----
> > From: asom@vetorialnet.com.br [mailto:asom@vetorialnet.com.br]
> > Sent: Montag, 4. November 2002 23:20
> > To: modssl-users@modssl.org
> > Subject: Configuring Multiple Certicates SSL over an unique IP
> >
> >
> >
> > Hello,
> >
> > There are some way to configuring the Apache Server to utilize
> multiple
> > certificates SSL, over an unique ip, once for each virtual domain ?
> >
> > What the Apache configure sintax ?
> >
> > Alex Moraes
> >
> --
> "The software said it requires Windows 95 or better,
> so I
> installed Linux"
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> This message is for the named person's use only. It may
> contain confidential, proprietary or legally privileged
> information. No confidentiality or privilege is waived or
> lost by any mistransmission. If you receive this message in
> error, please notify the sender urgently and then immediately
> delete the message and any copies of it from your system.
> Please also immediately destroy any hardcopies of the
> message. You must not, directly or indirectly, use, disclose,
> distribute, print, or copy any part of this message if you
> are not the intended recipient. The sender's company reserves
> the right to monitor all e-mail communications through their
> networks. Any views expressed in this message are those of
> the individual sender, except where the message states
> otherwise and the sender is authorised to state them to be
> the views of the sender's company.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Configuring Multiple Certicates SSL over an unique IP

Only Thawte do starred certificates, www.thawte.com, however they are now
fairly restrictive on allowing them. You have to contact a representative
first (ie you can no longer get them online).

We are probably not going to bother renewing our current one because they
are now too much hassle.

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.


> -----Original Message-----
> From: Hunt,Keith A [mailto:keith@uakron.edu]
> Sent: 05 November 2002 14:56
> To: modssl-users@modssl.org
> Subject: RE: Configuring Multiple Certicates SSL over an unique IP
>
>
> How does one go about getting a star certificate?
>
> > -----Original Message-----
> > From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> > Sent: Tuesday, November 05, 2002 5:22 AM
> > To: modssl-users@modssl.org
> > Subject: RE: Configuring Multiple Certicates SSL over an unique IP
> >
> >
> > Yes indeed, although this is a rather limited case of NBVH.
> >
> > -----Original Message-----
> > From: ueli@heuer.org [mailto:ueli@heuer.org]
> > Sent: Dienstag, 5. November 2002 10:08
> > To: modssl-users@modssl.org
> > Subject: Re: Configuring Multiple Certicates SSL over an unique IP
> >
> >
> > On Tue, 5 Nov 2002 08:48:58 +0100
> > "Boyle Owen" wrote:
> >
> > > No. This is called name-based virtual hosting (NBVH). It
> works fine
> > for
> > > plain HTTP but is impossible under SSL.
> > >
> > > The reason is that NBVH uses the "Host" header to find the
> > VH. But in
> > > SSL, the connection must be established *before* you get the Host
> > > header. So the server cannot decide which VH to use.
> >
> > except you are using a star-certificate,
> >
> > if your certificate is *.foo.bar you can use name-based
> > virtual hosting for following dhosts:
> >
> > www.foo.bar
> > test.foo.bar
> > new.foo.bar
> > ...
> > what-ever.foo.bar
> >
> >
> > >
> > > Rgds,
> > >
> > > Owen Boyle
> > >
> > > -----Original Message-----
> > > From: asom@vetorialnet.com.br [mailto:asom@vetorialnet.com.br]
> > > Sent: Montag, 4. November 2002 23:20
> > > To: modssl-users@modssl.org
> > > Subject: Configuring Multiple Certicates SSL over an unique IP
> > >
> > >
> > >
> > > Hello,
> > >
> > > There are some way to configuring the Apache Server to utilize
> > multiple
> > > certificates SSL, over an unique ip, once for each
> virtual domain ?
> > >
> > > What the Apache configure sintax ?
> > >
> > > Alex Moraes
> > >
> > --
> > "The software said it requires Windows 95 or better,
> > so I
> > installed Linux"
> >
> ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> This message is for the named person's use only. It may
> contain confidential, proprietary or legally privileged
> information. No confidentiality or privilege is waived or
> lost by any mistransmission. If you receive this message in
> error, please notify the sender urgently and then immediately
> delete the message and any copies of it from your system.
> Please also immediately destroy any hardcopies of the
> message. You must not, directly or indirectly, use, disclose,
> distribute, print, or copy any part of this message if you
> are not the intended recipient. The sender's company reserves
> the right to monitor all e-mail communications through their
> networks. Any views expressed in this message are those of
> the individual sender, except where the message states
> otherwise and the sender is authorised to state them to be
> the views of the sender's company.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Configuring Multiple Certicates SSL over an unique IP

Of all the gin joints in all the towns in all the world, "Boyle Owen"
had to walk into mine and say:
> No. This is called name-based virtual hosting (NBVH). It works fine for
> plain HTTP but is impossible under SSL.
>
> The reason is that NBVH uses the "Host" header to find the VH. But in
> SSL, the connection must be established *before* you get the Host
> header. So the server cannot decide which VH to use.

A minor tweak: if you can use a single certificate for all of your
virtual hosts, then you can name them all in the SubjectAltName
extension of the SSL certificate.


--
Harald Koch

"It takes a child to raze a village."
-Michael T. Fry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Configuring Multiple Certicates SSL over an unique IP

The default:

Listen 443

achieves this already. Is there some advantage to doing separate Listen's?

Boyle Owen wrote:

>Don't forget:
>
>Listen 192.168.1.2:443
>Listen 192.168.1.3:443
>
>-----Original Message-----
>From: Peter Viertel [mailto:peter.viertel@itaction.co.uk]
>Sent: Dienstag, 5. November 2002 14:17
>To: modssl-users@modssl.org
>Subject: Re: Configuring Multiple Certicates SSL over an unique IP
>
>
>I'm thinking you need to use Virtual Host directives - as others have
>replied, you already know that NameVirtualHost wont help - so you need
>to put each virtual host on a different IP. (or different port if no
>spare IP's_).
>
>firstly - configure your operating system to receive all the ip's you
>want to use - usually via ip-aliases - something you can do in unix and
>windows, but dont ask me how in windows.
>
>an example:
>
>your real ip is 192.168.1.2 , and you set up 192.168.1.3 as an extra
>alias.
>
>I'm assuming you started with httpd.conf as provided with mod_ssl - this
>should have the basic SSL configuration bits.
>
>Then in your httpd.conf near the end, in the section,
>create a VHost for each cert/ip you want.
>
>
> ServerName www.cert1domain.com
> SSLCertificateKeyFile conf/ssl.key/cert1.key
> SSLCertificateFile conf/ssl.crt/cert1.crt
> SSLEngine on
> ...other conf...
>
>
>
> ServerName www.cert2domain.com
> SSLCertificateKeyFile conf/ssl.key/cert2.key
> SSLCertificateFile conf/ssl.crt/cert2.crt
> SSLEngine on
> ...other conf...
>
>
>
>asom@vetorialnet.com.br wrote:
>
>
>
>>Hello,
>>
>>There are some way to configuring the Apache Server to utilize
>>
>>
>multiple
>
>
>>certificates SSL, over an unique ip, once for each virtual domain ?
>>
>>What the Apache configure sintax ?
>>
>>Alex Moraes
>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>>
>>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please notify the sender urgently
>and then immediately delete the message and any copies of it from your
>system. Please also immediately destroy any hardcopies of the message.
>You must not, directly or indirectly, use, disclose, distribute, print,
>or copy any part of this message if you are not the intended recipient.
>The sender's company reserves the right to monitor all e-mail
>communications through their networks. Any views expressed in this
>message are those of the individual sender, except where the message
>states otherwise and the sender is authorised to state them to be the
>views of the sender's company.
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org