Re: [cobalt-users] Re: SSL certificate of server site used for all siteadminsites?

[Bruce Timberlake <bruce.timberlake@xxxxxxx>]

Wayne Sagar wrote:
> 
> > 3.  The main site certificate request is propogated to all
> > virtual sites that have SSL enabled but do not have their own
> > certificate request
> 
> It does?
> 
> every time I've tried to do that on a name based server I get the
> message that the cert is being used by this ip already and it will
> not take it.
> 
> Am I missing something?

You still have to follow the rules about SSL-enabling domains (unique IP
per domain). The underlying rules prevent you from enabling SSL on more
than one domain with the same IP address.

The reason for this is that the SSL handshake happens before the HTTP
headers are exchanged. The server has no way to tell which domain is
supposed to answer if an SSL request could potentially be answered by
more than one domain. So they put that limitation on. (And this isn't a
Cobalt-ism; it's the same for everyone that properly implements
name-based hosting and SSL...)

There are some discussions underway (amongst those who discuss such
things) to modify the SSL handshake protocol to include domain info, and
then name-based SSL would be possible.  ARIN and others are proponents
of making the change, since that would dramatically reduce the demand
for unique IP addresses, slowing the usage of IPv4 address space. 
Nothing is likely to happen soon, though
(http://www.apacheweek.com/issues/00-09-01 -- "No more IP addresses for
virtual hosts").

-- 
Bruce Timberlake
Technology Engineer
Sun Cobalt Server Appliances
Sun Microsystems, Inc.

E: bruce.timberlake@xxxxxxx
U: http://www.sun.com/cobalt/