Thanks for the replies, Jason and Bryan. I particularly like Bryan's #3. I think it's interesting that you both addressed a web (https) context. SSL is used with email protocols as well (imaps, pop3s), although smtps is deprecated and TLS is favored these days (for good reasons). Perhaps the statement I had a problem with is just not very meaningful without further context. -- -Eric 'shubes' Bryan O'Neal wrote: > Yes and no > > Ok - here is the quick break down - Authentication and verification > happen at the same time - For the most part the web is IP based - Thus > if I am looking for Jack @ 129.81.56.31 and Jilly @ 129.81.56.31 your > going to confuse the hell out of the web server that has a cert for > Bob. > > Solution 1: L3 routers with Nat that can address a request for > Jill.mydomain.com and point to the correct internal IP even when Jill, > Jack, and Bob are all pointing to the same external IP > > Solution 2: Use different port numbers > > Solution 3: Use SNI (Server Name Indications) to have Apache check the > name then pass to the VHost for authentication and verification. > > I personally recommend solution 3 but be aware the user will require a > "modern" browser and, in the case of a Mac, a newer OS for this to > work. > > On Fri, Aug 13, 2010 at 1:51 PM, Eric Shubert wrote: >> I don't necessarily believe everything I see, and would like to check on >> something I read. >> >> Is the following statement true or false? >> >> "SSL requires a distinct outbound IP for every distinct certificate >> (different domain name)." >> >> My understanding is that multiple hosts with distinct certificates could >> coexist behind a NAT'd firewall on a single public address and still provide >> SSL connections via the public address. >> >> Would someone who's more knowledgeable than I about this care to shed some >> light on the subject? >> >> -- >> -Eric 'shubes' >> >> --------------------------------------------------- --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss