cert handling on redirect of https subdomains

Igor Sysoev is at rambler-co.ru
Thu Sep 11 13:24:49 MSD 2008

On Thu, Sep 11, 2008 at 11:46:24AM +0300, Reinis Rozitis wrote:

> >I think what you are trying to do is impossible. A ssl connection needs to 
> >be established before the virtual host is known. To my knowledge this 
> >limits you to only one certificate per IP.
> Till far I also thought that you need a seperate IP for each domain/cert 
> but as I am reading also Cherokee mailing list they have pulled of to make 
> SSL virtualhosts ( http://www.cherokee-project.com/doc/other_goodies.html 
> page bottom ) which seems a pretty nice feature (I havent tested myself yet 
> though).
> As to answer how it is done there ir a snip from developers mail:
> ----------------------------------------
> There is a TLS extension named SNI (for 'Server Name Indication') that does 
> the trick:
>   RFC 4680: TLS Handshake Message for Supplemental Data
>   RFC 4366: Transport Layer Security (TLS) Extensions
> Basically, the client sends the target host during the initial handshake so 
> Cherokee can pick the right virtual server certificate in advance. In that 
> way the secure connection is stabilized with the right certificate without 
> having to re-handshake.
> Note that both the client and the server libraries must support SNI. 
> Cherokee can use two different SSL/TLS engines; in case you use OpenSSL you 
> might need to either apply a patch or install the latest release. In case 
> you choose to use GnuTLS everything will be fine (it has supported SNI for 
> years now).
> -------------------------------------------
> Maybe worth looking into it?


Igor Sysoev

More information about the nginx mailing list