Help 1 IP seperate SSL for each domain?

Started by IceBerg, February 28, 2005, 05:55:59 PM

Previous topic - Next topic

IceBerg

I've been using the mail toaster for every qmail install I do, it's great. Recently I started using the SSL for pop3. I need to know how to use a different cert for each domain when they are all virtual domains on one IP. Thunderbird has a fit in a serious way if the cert doesnt match the domain.


Thanks
Bryan

LogicX

Although I couldn't find any sources to quickly check -- it should be noted that you can only have one Host per SSL Cert per IP.
This would be because the SSL Verification happens at connect time -- which is before the client would be able to request a different virtual host on the same IP.  (ala HTTP/1.1)
--- May this post be indexed by spiders, and archived for all to see as my internet epitaph.
http://fpux.com" target="_blank">http://fpux.com

matt

Mike is correct. You can only have one SSL certificate per IP, regardless of how many domains you have on that IP.  If you want a SSL cert for each domain, then each domain have a unique IP.

IceBerg

Why is it that Apache can have an unlimited number of SSL certs and Qmail/Vpopmail can not? The thunderbird popups are driving me and clients crazy and there is no way we can afford 20 some IP's, they are quite exspensive now days, especialy through roadrunner.


matt

IceBerg wrote on Tue, 08 March 2005 15:40

Why is it that Apache can have an unlimited number of SSL certs and Qmail/Vpopmail can not? The thunderbird popups are driving me and clients crazy and there is no way we can afford 20 some IP's, they are quite exspensive now days, especialy through roadrunner.



You are mistaken my lad. There's a difference between "having" and utilizing more than one certificate per IP.  While you are correct that Apache can have a (seemingly) limitless number of certs. it can only present ONE ssl cert per IP address. This is a fundamental limitation of SSL, and I highly recommend that you go RTFM. Here's a handy starting place:

http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts" target="_blank">http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts

IceBerg

Quote:

You are mistaken my lad. There's a difference between "having" and utilizing more than one certificate per IP.  While you are correct that Apache can have a (seemingly) limitless number of certs. it can only present ONE ssl cert per IP address. This is a fundamental limitation of SSL, and I highly recommend that you go RTFM. Here's a handy starting place:

http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts" target="_blank">http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts



Ok, that makes more sence then. Sorry about my misconception. Before I go off to post to the thunderbird forum does anyone here know how to eliminate the 'cert doesnt match domain' alert? I was sure I could find something in the settings but I didnt.