cert handling on redirect of https subdomains
Reinis Rozitis
r at roze.lv
Thu Sep 11 12:46:24 MSD 2008
>I think what you are trying to do is impossible. A ssl connection needs to
>be established before the virtual host is known. To my knowledge this
>limits you to only one certificate per IP.
Till far I also thought that you need a seperate IP for each domain/cert but
as I am reading also Cherokee mailing list they have pulled of to make SSL
virtualhosts ( http://www.cherokee-project.com/doc/other_goodies.html page
bottom ) which seems a pretty nice feature (I havent tested myself yet
though).
As to answer how it is done there ir a snip from developers mail:
----------------------------------------
There is a TLS extension named SNI (for 'Server Name Indication') that does
the trick:
RFC 4680: TLS Handshake Message for Supplemental Data
RFC 4366: Transport Layer Security (TLS) Extensions
Basically, the client sends the target host during the initial handshake so
Cherokee can pick the right virtual server certificate in advance. In that
way the secure connection is stabilized with the right certificate without
having to re-handshake.
Note that both the client and the server libraries must support SNI.
Cherokee can use two different SSL/TLS engines; in case you use OpenSSL you
might need to either apply a patch or install the latest release. In case
you choose to use GnuTLS everything will be fine (it has supported SNI for
years now).
-------------------------------------------
Maybe worth looking into it?
rr
More information about the nginx
mailing list