FR: Modify DA to accept multiple SSL certs per IP

interfasys

Verified User
Joined
Oct 31, 2003
Messages
2,100
Location
Switzerland
Apache is ready, most browsers are, the only missing thing is DA.
Right now, we have to add the certs to the virtualhost via scripts, plugins or manually, but it would be great if DA could lose the restriction and allow us to add as many certs as we want per IP.
 
You cant add more then one ssl per ip address? Who told you this was possible?
 
Apache is ready,
Please post a reference.

Everything I've read says that the limitation is in the process:

When you're using multiple domains per IP# you can't tell which Certificate to use to decrypt the packets until you know the domain name, and you can't tell the domain name to use until you've decrypted the first packet.

If some magician (quotationspage.com) has figured out how to this, please let us know and I'll investigate further.

Jeff
 
There is no magic to it, there are at least 2 ways, both based on "Server Name Indication" described in RFC4366
Right now, you simple add the certificate to your virtualhost and it works with these browsers:
Mozilla Firefox 2.0 or later
Opera 8.0 or later (the TLS 1.1 protocol must be enabled)
Internet Explorer 7 (Vista or higher, not XP) or later
Google Chrome (Vista or higher, not XP. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
Safari Safari 3.2.1 and newer on Mac OS X 10.5.6 and Windows Vista or higher, not XP
Any Apple iDevice running iOS4 has support for TLS server name indication.
Source Wikipedia

As you can probably see from that list, it's not a 100% compatible since it doesn't work for IE on XP
Since XP is still the most widely used OS (over 50% market share worldwide), that won't work for eCommerce, but if you need to secure an area of a site for a specific audience, it works fine.
 
Last edited:
You didn't give me a wikipedia link so there's nothing for me to look at that I might be able to understand; I simply don't have time to study the RFC; I can't understand it at first glance.

I did find this (apache.org); it's part of the documentation for Apache version 2.x, and it says it can't be done.

Please give me the wikipedia link.

Jeff
 
Thanks for the link. I've read it thoroughly, and I'm stopped from considering this as a reasonable solution by this (wikipedia.org).

Forgive me for writing what you may already know, but I'd like this thread to be informative even for those who aren't familiar with the feature and the issues.

The Wikipedia page says:
Most of the experiments are unsatisfactory and impractical. For example, it is possible to use subjectAltName to contain multiple domains in a single certificate, but as this is one certificate, this means all the domains must be owned and controlled by one person, and the certificate has to be re-issued every time the list of domains changes.
.

This appears to be quite limiting, as shown in the above quote.

I did know about the subjectAltName field but I didn't realize that's what you were writing about. We currently offer a low priced Certificate with a subjectAltName field, but the limitation is that the alternate name can only be the domain name without www if the main name is with the www.

To do what you're asking, you'd need a subjectAltName field with multiple domain names.

I've just spoken to my GlobalSign rep; he explains that the feature is only available for the more expensive Organization validated and EV Certificates, and will cost over us$100 per added domain name after the first. Also, as above, all domains must be owned by the same entity. And each time a domain is added or subtracted the entire Certificate must be reissued. Additionally, if one domain must be revoked the entire Certificate must be revoked.

Can you live with those limitations. Is the feature still of interest?

Jeff
 
Jeff,
You read the comment wrong, but I agree that it can be misleading. That paragraph is about the journey and those experiments were run to try and define which method was best to use. SNI is the solution.
subjectAltName only works for one organisation that wants to add multiple certs to one IP hosting multiple of its own domains. It's not made for shared hosting.
With SNI, you simply add the certs to a vhost and it works, nothing else to do, except if you want to play with some extra settings.
Cheers,
Olivier

Edit:
Oh and you can buy certs today that do wildcards, multiple domains and EV for $75 a year...
 
SNI was barely mentioned in that article. The one link to why not to use it is no longer live.

Do you know what steps have to be taken on the server to support it?

What?

Just allowing the certificate to be installed? Or something else?

Jeff
 
There is nothing to do on the server side if you use custombuild to build Apache. It also works on nginx if you use that.
 
Then what do you mean by your thread subject: Modify DA to accept multiple SSL certs per IP? Do you simply mean allow Cert Creation through the control panel even if the IP# isn't owned?

Jeff
 
I mean change the application logic, so that not owning the IP isn't a restriction anymore.
A warning should be displayed to let people know that it's fine to protect the user's administrative area of a blog or website, but shouldn't be used for ecommece.
The rest of the page would be like the one we use now, you can install your own cert or generate one (why with free certs being offered nowadays ;)).
 
Thanks for your continued help on me understanding this. Do we know yet if it works on any mobile browsers; I know at least two people who have given up their computers for their phones. I wouldn't, but it appears to be the wave of the future.

And, what will happen if someone visits a so enabled site with IE on XP?

Thanks again.

Jeff
 
Good point about mobiles :)
Doesn't work on all current Blackberrys because the browser is ancient, will need to do some tests on other platforms, but I think it will work since they're all based on Webkit.
Opera Mini doesn't complain about anything :S

What happens is that the IP's default cert is used instead of the one that was put in place for the domain.
So the user gets a domain mismatch error.
 
Hello,

The restrictions are easy enough to remove.

My only concern is that the whole point for us adding them were to remove confusion when Users complained why their certs didn't work on a shared IP.

There are cases where SNI won't be included.. eg: older apache version, or system with OpenSSL older than 0.9.8f, and cases we cannot control: older browsers, etc..

What I can do then is add a directadmin.conf option, like:
enable_ssl_sni=0

by default, then to allow it (if you meet all the requirements, and don't care about clients with old browsers), set it to 1.

After enough testing, setting it to 1 by default can be considered.

Added to the versions system.

John
 
Ui

Hello, a old post but now more and more sites using SSL it will be great to get this option in the UI of DA self and not as a option in te conf. Thank you
 
Back
Top