OT (slightly): SSL Requirement

[Eric Shubert]

Thanks for the replies, Jason and Bryan. I particularly like Bryan's #3.

I think it's interesting that you both addressed a web (https) context. 
SSL is used with email protocols as well (imaps, pop3s), although smtps 
is deprecated and TLS is favored these days (for good reasons).

Perhaps the statement I had a problem with is just not very meaningful 
without further context.

-- 
-Eric 'shubes'

Bryan O'Neal wrote:
> Yes and no
> 
> Ok - here is the quick break down - Authentication and verification
> happen at the same time - For the most part the web is IP based - Thus
> if I am looking for Jack @ 129.81.56.31 and Jilly @ 129.81.56.31 your
> going to confuse the hell out of the  web server that has a cert for
> Bob.
> 
> Solution 1: L3 routers with Nat that can address a request for
> Jill.mydomain.com and point to the correct internal IP even when Jill,
> Jack, and Bob are all pointing to the same external IP
> 
> Solution 2: Use different port numbers
> 
> Solution 3: Use SNI (Server Name Indications) to have Apache check the
> name then pass to the VHost for authentication and verification.
> 
> I personally recommend solution 3 but be aware the user will require a
> "modern" browser and, in the case of a Mac, a newer OS for this to
> work.
> 
> On Fri, Aug 13, 2010 at 1:51 PM, Eric Shubert <ejs at shubes.net> wrote:
>> I don't necessarily believe everything I see, and would like to check on
>> something I read.
>>
>> Is the following statement true or false?
>>
>> "SSL requires a distinct outbound IP for every distinct certificate
>> (different domain name)."
>>
>> My understanding is that multiple hosts with distinct certificates could
>> coexist behind a NAT'd firewall on a single public address and still provide
>> SSL connections via the public address.
>>
>> Would someone who's more knowledgeable than I about this care to shed some
>> light on the subject?
>>
>> --
>> -Eric 'shubes'
>>
>> ---------------------------------------------------