cert handling on redirect of https subdomains

Reinis Rozitis r at roze.lv
Thu Sep 11 12:46:24 MSD 2008

>I think what you are trying to do is impossible. A ssl connection needs to 
>be established before the virtual host is known. To my knowledge this 
>limits you to only one certificate per IP.

Till far I also thought that you need a seperate IP for each domain/cert but 
as I am reading also Cherokee mailing list they have pulled of to make SSL 
virtualhosts ( http://www.cherokee-project.com/doc/other_goodies.html page 
bottom ) which seems a pretty nice feature (I havent tested myself yet 

As to answer how it is done there ir a snip from developers mail:
There is a TLS extension named SNI (for 'Server Name Indication') that does 
the trick:

   RFC 4680: TLS Handshake Message for Supplemental Data
   RFC 4366: Transport Layer Security (TLS) Extensions

Basically, the client sends the target host during the initial handshake so 
Cherokee can pick the right virtual server certificate in advance. In that 
way the secure connection is stabilized with the right certificate without 
having to re-handshake.

Note that both the client and the server libraries must support SNI. 
Cherokee can use two different SSL/TLS engines; in case you use OpenSSL you 
might need to either apply a patch or install the latest release. In case 
you choose to use GnuTLS everything will be fine (it has supported SNI for 
years now).

Maybe worth looking into it?


More information about the nginx mailing list