FR: Modify DA to accept multiple SSL certs per IP

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,099
Location
Switzerland
Apache is ready, most browsers are, the only missing thing is DA.
Right now, we have to add the certs to the virtualhost via scripts, plugins or manually, but it would be great if DA could lose the restriction and allow us to add as many certs as we want per IP.
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
You cant add more then one ssl per ip address? Who told you this was possible?
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Apache is ready,
Please post a reference.

Everything I've read says that the limitation is in the process:

When you're using multiple domains per IP# you can't tell which Certificate to use to decrypt the packets until you know the domain name, and you can't tell the domain name to use until you've decrypted the first packet.

If some magician (quotationspage.com) has figured out how to this, please let us know and I'll investigate further.

Jeff
 

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,099
Location
Switzerland
There is no magic to it, there are at least 2 ways, both based on "Server Name Indication" described in RFC4366
Right now, you simple add the certificate to your virtualhost and it works with these browsers:
Mozilla Firefox 2.0 or later
Opera 8.0 or later (the TLS 1.1 protocol must be enabled)
Internet Explorer 7 (Vista or higher, not XP) or later
Google Chrome (Vista or higher, not XP. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
Safari Safari 3.2.1 and newer on Mac OS X 10.5.6 and Windows Vista or higher, not XP
Any Apple iDevice running iOS4 has support for TLS server name indication.
Source Wikipedia

As you can probably see from that list, it's not a 100% compatible since it doesn't work for IE on XP
Since XP is still the most widely used OS (over 50% market share worldwide), that won't work for eCommerce, but if you need to secure an area of a site for a specific audience, it works fine.
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
You didn't give me a wikipedia link so there's nothing for me to look at that I might be able to understand; I simply don't have time to study the RFC; I can't understand it at first glance.

I did find this (apache.org); it's part of the documentation for Apache version 2.x, and it says it can't be done.

Please give me the wikipedia link.

Jeff
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Thanks for the link. I've read it thoroughly, and I'm stopped from considering this as a reasonable solution by this (wikipedia.org).

Forgive me for writing what you may already know, but I'd like this thread to be informative even for those who aren't familiar with the feature and the issues.

The Wikipedia page says:
Most of the experiments are unsatisfactory and impractical. For example, it is possible to use subjectAltName to contain multiple domains in a single certificate, but as this is one certificate, this means all the domains must be owned and controlled by one person, and the certificate has to be re-issued every time the list of domains changes.
.

This appears to be quite limiting, as shown in the above quote.

I did know about the subjectAltName field but I didn't realize that's what you were writing about. We currently offer a low priced Certificate with a subjectAltName field, but the limitation is that the alternate name can only be the domain name without www if the main name is with the www.

To do what you're asking, you'd need a subjectAltName field with multiple domain names.

I've just spoken to my GlobalSign rep; he explains that the feature is only available for the more expensive Organization validated and EV Certificates, and will cost over us$100 per added domain name after the first. Also, as above, all domains must be owned by the same entity. And each time a domain is added or subtracted the entire Certificate must be reissued. Additionally, if one domain must be revoked the entire Certificate must be revoked.

Can you live with those limitations. Is the feature still of interest?

Jeff
 

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,099
Location
Switzerland
Jeff,
You read the comment wrong, but I agree that it can be misleading. That paragraph is about the journey and those experiments were run to try and define which method was best to use. SNI is the solution.
subjectAltName only works for one organisation that wants to add multiple certs to one IP hosting multiple of its own domains. It's not made for shared hosting.
With SNI, you simply add the certs to a vhost and it works, nothing else to do, except if you want to play with some extra settings.
Cheers,
Olivier

Edit:
Oh and you can buy certs today that do wildcards, multiple domains and EV for $75 a year...
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
SNI was barely mentioned in that article. The one link to why not to use it is no longer live.

Do you know what steps have to be taken on the server to support it?

What?

Just allowing the certificate to be installed? Or something else?

Jeff
 

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,099
Location
Switzerland
There is nothing to do on the server side if you use custombuild to build Apache. It also works on nginx if you use that.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Then what do you mean by your thread subject: Modify DA to accept multiple SSL certs per IP? Do you simply mean allow Cert Creation through the control panel even if the IP# isn't owned?

Jeff
 

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,099
Location
Switzerland
I mean change the application logic, so that not owning the IP isn't a restriction anymore.
A warning should be displayed to let people know that it's fine to protect the user's administrative area of a blog or website, but shouldn't be used for ecommece.
The rest of the page would be like the one we use now, you can install your own cert or generate one (why with free certs being offered nowadays ;)).
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Thanks for your continued help on me understanding this. Do we know yet if it works on any mobile browsers; I know at least two people who have given up their computers for their phones. I wouldn't, but it appears to be the wave of the future.

And, what will happen if someone visits a so enabled site with IE on XP?

Thanks again.

Jeff
 

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,099
Location
Switzerland
Good point about mobiles :)
Doesn't work on all current Blackberrys because the browser is ancient, will need to do some tests on other platforms, but I think it will work since they're all based on Webkit.
Opera Mini doesn't complain about anything :S

What happens is that the IP's default cert is used instead of the one that was put in place for the domain.
So the user gets a domain mismatch error.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,070
Hello,

The restrictions are easy enough to remove.

My only concern is that the whole point for us adding them were to remove confusion when Users complained why their certs didn't work on a shared IP.

There are cases where SNI won't be included.. eg: older apache version, or system with OpenSSL older than 0.9.8f, and cases we cannot control: older browsers, etc..

What I can do then is add a directadmin.conf option, like:
enable_ssl_sni=0

by default, then to allow it (if you meet all the requirements, and don't care about clients with old browsers), set it to 1.

After enough testing, setting it to 1 by default can be considered.

Added to the versions system.

John
 

mariovisie

New member
Joined
Jun 16, 2016
Messages
1
Ui

Hello, a old post but now more and more sites using SSL it will be great to get this option in the UI of DA self and not as a option in te conf. Thank you
 
Top