OT (slightly): SSL Requirement

Bryan O'Neal Bryan.ONeal at TheONealAndAssociates.com
Fri Aug 13 15:38:41 MST 2010


Yes and no

Ok - here is the quick break down - Authentication and verification
happen at the same time - For the most part the web is IP based - Thus
if I am looking for Jack @ 129.81.56.31 and Jilly @ 129.81.56.31 your
going to confuse the hell out of the  web server that has a cert for
Bob.

Solution 1: L3 routers with Nat that can address a request for
Jill.mydomain.com and point to the correct internal IP even when Jill,
Jack, and Bob are all pointing to the same external IP

Solution 2: Use different port numbers

Solution 3: Use SNI (Server Name Indications) to have Apache check the
name then pass to the VHost for authentication and verification.

I personally recommend solution 3 but be aware the user will require a
"modern" browser and, in the case of a Mac, a newer OS for this to
work.

On Fri, Aug 13, 2010 at 1:51 PM, Eric Shubert <ejs at shubes.net> wrote:
> I don't necessarily believe everything I see, and would like to check on
> something I read.
>
> Is the following statement true or false?
>
> "SSL requires a distinct outbound IP for every distinct certificate
> (different domain name)."
>
> My understanding is that multiple hosts with distinct certificates could
> coexist behind a NAT'd firewall on a single public address and still provide
> SSL connections via the public address.
>
> Would someone who's more knowledgeable than I about this care to shed some
> light on the subject?
>
> --
> -Eric 'shubes'
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


More information about the PLUG-discuss mailing list