I'm not sure if this one has come through at the DirectAdmin development team, but I'd really love to see SNI (Server Name Identification) for DirectAdmin setups which enforce SSL to log in. Right now, the way to enforce SSL login is through the "SSL=1" directive in directadmin.conf. The problem with this, is that this will only present the server certificate, which might not be the domain name on which you tried to log in to. A certificate-mismatch error is the result, which is far from optimal.
To work around this issue, you can redirect all SSL logins to the server domain with the "ssl_redirect_host" directive. This prevents the certificate-mismatch error to appear, but opens up a new can of worms and doesn't make much sense to an end user ("why log into another website if I want to change something on mine?")
I've been discussing this with a few helpful forum regulars here, but it seems there is no real solution, other than having a multi-domain certificate on the server, which will turn out to be very impractical in real deployments.
So what DirectAdmin could really use, is the same type of SNI-implementation that is already in place in for example Exim or Dovecot. Check the hostname in the SSL negotiation, see if a certificate for that domain exists, if not, fall back to the server cert. This comment below the "Setting up DA with an SSL certificate" technote will then no longer hold true:
The only "downside" would have been limited browser support, which was an issue when SNI was introduced, but no longer so (I think only IE6 and a few ancient Android versions don't support SNI). It is my belief that people logging into DirectAdmin are usually a bit more tech-savvy than the type of people that still use IE6...).
To work around this issue, you can redirect all SSL logins to the server domain with the "ssl_redirect_host" directive. This prevents the certificate-mismatch error to appear, but opens up a new can of worms and doesn't make much sense to an end user ("why log into another website if I want to change something on mine?")
I've been discussing this with a few helpful forum regulars here, but it seems there is no real solution, other than having a multi-domain certificate on the server, which will turn out to be very impractical in real deployments.
So what DirectAdmin could really use, is the same type of SNI-implementation that is already in place in for example Exim or Dovecot. Check the hostname in the SSL negotiation, see if a certificate for that domain exists, if not, fall back to the server cert. This comment below the "Setting up DA with an SSL certificate" technote will then no longer hold true:
The only "downside" would have been limited browser support, which was an issue when SNI was introduced, but no longer so (I think only IE6 and a few ancient Android versions don't support SNI). It is my belief that people logging into DirectAdmin are usually a bit more tech-savvy than the type of people that still use IE6...).