cert handling on redirect of https subdomains
Igor Sysoev
is at rambler-co.ru
Thu Sep 11 13:24:49 MSD 2008
On Thu, Sep 11, 2008 at 11:46:24AM +0300, Reinis Rozitis wrote:
> >I think what you are trying to do is impossible. A ssl connection needs to
> >be established before the virtual host is known. To my knowledge this
> >limits you to only one certificate per IP.
>
> Till far I also thought that you need a seperate IP for each domain/cert
> but as I am reading also Cherokee mailing list they have pulled of to make
> SSL virtualhosts ( http://www.cherokee-project.com/doc/other_goodies.html
> page bottom ) which seems a pretty nice feature (I havent tested myself yet
> though).
>
>
> As to answer how it is done there ir a snip from developers mail:
> ----------------------------------------
> There is a TLS extension named SNI (for 'Server Name Indication') that does
> the trick:
>
> RFC 4680: TLS Handshake Message for Supplemental Data
> RFC 4366: Transport Layer Security (TLS) Extensions
>
> Basically, the client sends the target host during the initial handshake so
> Cherokee can pick the right virtual server certificate in advance. In that
> way the secure connection is stabilized with the right certificate without
> having to re-handshake.
>
> Note that both the client and the server libraries must support SNI.
> Cherokee can use two different SSL/TLS engines; in case you use OpenSSL you
> might need to either apply a patch or install the latest release. In case
> you choose to use GnuTLS everything will be fine (it has supported SNI for
> years now).
> -------------------------------------------
>
>
> Maybe worth looking into it?
http://marc.info/?l=nginx&m=121369122400326
http://marc.info/?l=nginx&m=120996440623257
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list