doubts with ssl

I have some doubts with ssl protocol. Actually We have apache-modssl with=
a=20
test certificate. Now we would like one signed by a Certification Authori=
ty.=20
First doubt is about Private Ip, we have only a Public Ip which is in a=20
firewall and most of request ( http, https, ftp etc) are redirected to=20
internal servers. Internal servers have only Private Ip.=20

So my first question is, Could ssl works on a private IP?=20

The second is about fqdn. Webserver has "servidorweb" as host name, and=20
"servidorweb.mydomain.com" as fully qualified domain name. Anyway we have=
=20
configured our dns to match www.mydomain.com with webserver=B4s IP.=20

Second question is, Is necesary to change the host name of webserver from=
=20
servidorweb to www?=20


Thanks in advance.=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: doubts with ssl

>-----Original Message-----
>From: modssl@isabeldeespana.org [mailto:modssl@isabeldeespana.org]
>
>First doubt is about Private Ip, we have only a Public Ip=20
>which is in a firewall and most of request ( http, https, ftp etc) are
redirected to=20
>internal servers. Internal servers have only Private Ip.=20
>
>So my first question is, Could ssl works on a private IP?

The firewall is not a problem - you only have to ensure that it is open
on port 443. The FW works at the TCP/IP layer and simply routes the
packets between the client and the server. If it also does Network
Address Translation (changing the IP address from public to private)
then that is not a problem either since this is an attribute of the
TCP/IP packet. The encryption is all at the HTTP layer which is *inside*
the TCP/IP packet.

Does the inside of the FW connect directly to the SSL-server? If so, no
problem. If it goes through a proxy, you need to ensure that the proxy
understands the CONNECT method. This means that the proxy will pass
packets blindly without trying to read them.

Just to be clear; SSL doesn't care about IP addresses - the
authentication phase is based on comparing the hostname in the request
with the common name in the certificate - read on...

>The second is about fqdn. Webserver has "servidorweb" as host=20
>name, and "servidorweb.mydomain.com" as fully qualified domain name.=20
>Anyway we have configured our dns to match www.mydomain.com with
webserver=B4s IP.=20
>
>Second question is, Is necesary to change the host name of=20
>webserver from servidorweb to www?=20

The way it works is that when you buy the certificate, you define a
"common-name". This is like "www.myserver.com". When a user wants to
visit your site, he types in "www.myserver.com" into his browser. The
browser then requests the site and gets back the certificate. The
browser checks that the common-name in the cert matches the fqdn that
the user typed in. If yes, all is well and the SSL connection is
established. If not, the browser alerts the user because there is now a
possibility that the site is a fake since certificate doesn't match the
fqdn. This is the *authentication* phase of SSL (which is just as
important as the encryption phase).

To answer your question, you can use any name you like in the
certificate (i.e. the common-name) but you must make sure that the
browsercomes to your site with that name. This can be a problem if you
have a lot of aliases for the site (.net, .org etc.). You used to be
able to get wildcard certs but I don't know what the current status is
on that.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20
>
>
>Thanks in advance.=20
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.=20


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org