[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] SSL Sharing
On Sun, 16 Apr 2000, Tony wrote:
> What does Microsoft have do with SSL in this context?
> Raq2 doesnt have any problems sharing a Thawte cert providing
> you get the symlinks and the urls correct.
Microsoft's IE does not recognise certificates with wild cards, hence, a
certificate that works fine on Netscape (registered to *.somedomain.com) and
used on sub1.somedomain.com and sub2.somedomain.com, won't work at all in IE.
And here's a basic SSL issue: Apache can only use one SSL certificate per IP,
since the certificate and encrypted channel must be established *prior* to
processing the actual request (which is where the virtual host negotiation
takes place via the HTTP/1.1 protocol). So, if you ssl.bobsdomain.com and
ssl.fredsdomain.com on the same IP, the first one listed will be the only
certificate served, generating a security warning in the browser for all
subsequent domains, since the certificate doesn't match the address.
This is basic knowledge. For those of you thinking that you can share
certificates across domains, give it up. While it technically work, it won't
work correctly, and will likely scare your visitors more than give them peace
of mind. And due to MS large market share of the browser market, don't buy
certificates with wildcards in them, either, lest you, once again, scare your
visitors.
--Arthur Corliss
Programmer/Administrator
Gallant Technologies (http://www.gallanttech.com/)