I have never heard so much various misinformation in my life!<br><br><div class="gmail_quote">On Fri, Aug 13, 2010 at 9:49 PM, Eric Shubert <span dir="ltr">&lt;<a href="mailto:ejs@shubes.net">ejs@shubes.net</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks Russ. You&#39;re once again a great sanity check. :)<br><font color="#888888">
-- <br>
-Eric &#39;shubes&#39;</font><div><div></div><div class="h5"><br>
<br>
R P Herrold wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Fri, 13 Aug 2010, Eric Shubert wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I don&#39;t necessarily believe everything I see, and would like to check on something I read.<br>
<br>
Is the following statement true or false?<br>
<br>
&quot;SSL requires a distinct outbound IP for every distinct certificate<br>
(different domain name).&quot;<br>
</blockquote>
<br>
Clearly technically not true, but not in the way you probably expect -- One can have a SSL certificate for the purposes of securing web content, and a separate one for the purpose of securing email transfer -- check the headers of this piece, whch use a StartSSL [highly recommended] certificate for opportunistic SSL layer transport of content<br>

<br>
If you had added the qualifier &#39;for a given protocol (TCP) and port (443) pair&#39;, it would be true in the usual case, absent heroic and non-customary approaches<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
My understanding is that multiple hosts with distinct certificates could coexist behind a NAT&#39;d firewall on a single public address and still provide SSL connections via the public address.<br>
<br>
Would someone who&#39;s more knowledgeable than I about this care to shed some light on the subject?<br>
</blockquote>
<br>
I assume web connection here.  I put to one side a &#39;wildcard&#39; certificate where several boxes all offer a connection secured by a single credential.  TLS/SSL protected email to multiple clients using differing certificates, as the negotitaion occurs &#39;late enough&#39; that one could &#39;hand off&#39; a connection, perhaps, to a second unit inside a load balancer, to complete the SSL/TLS connection setup.<br>

<br>
The flaw with a webbish (port 443) delivery in your setup is based on when in the request the secured connection is set up<br>
<br>
The negotiation and establishment of the SSL tunnel occurs BEFORE any hostname part (indeed, any part) of the URL is transmitted.  How would the NAT device know which credential to offer?  How can the remote end verify that an offered certificate is not on a recovation list at the CA?<br>

<br>
If a connection were established to point A on the outside, with a 301, 302 type redirector to  a &#39;new&#39; URL &#39;inside&#39; it might be doable as a new secured connection setup can occur, and if there is low volume and a unique client IP at the far end, but this cannot be counted upon ...<br>

<br>
I see a suggestion tht a Level 3 router can sniff the request and do internal direction.  I am aware of no such mechanism to do this only up to L3 of the stack in a web session.  The needed session credentials are not yet knowable at the time of the negotiation ond DH key exchange of the session encryption key.  Once that session is set up, there is not a mechanism for a &#39;handoff&#39; of a running session, for that is the essence of a Man in the Middle attack<br>

<br>
-- Russ herrold<br>
</blockquote>
<br>
<br>
</div></div></blockquote></div><br>I setup SSL Certificates in NAT environments all the time.<br><br>Various solutions are available:<br><br>1) Apache2 Name Based Virtuals<br>2) /etc/hosts file utilization on the server<br>
3) split DNS for IP based virtuals<br><br>It&#39;s not called Network Address Translation for nothing!  <br><br>This is very simple (you are thinking about this triangulated authentication from a one sided point of view):<br>
<br><b>If the IP ADDRESS matches the SSL CERT, DNS name and certificate called from the browser to Apache2,  the content will be trusted.  It&#39;s just that simple.</b><br><br>Reference:  <a href="http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch20_:_The_Apache_Web_Server">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch20_:_The_Apache_Web_Server</a><br clear="all">
<br>-- <br>Office: (602)239-3392<br>AT&amp;T: (503)754-4452 <br><a href="http://it-clowns.com/wiki/index.php?title=Obnosis" target="_blank">http://it-clowns.com</a><br>&quot;Faith is, at one and the same time, absolutely necessary and altogether impossible.
&quot;<br>--Stanislav Lem<br><br><br><br><br><br><br><br><br><br><br><br><br><br>