Shared SSL for Name Based VirtualHosts

9 posts / 0 new
Last post
#1 Sun, 08/03/2008 - 12:30
webwzrd

Shared SSL for Name Based VirtualHosts

After extensive searching, I've not been successful locating how to setup shared ssl for name based virtual hosts. I don't really want/need separate IP's for this.

I don't think I'm looking for help installing a (goDaddy Turbo) certificate for the host name, but rather how to let the name base servers use the hosts certificate; such as https://host.tld/example.tld.

The reason I'm questioning this is in experimenting with the self-signed certificate that comes with VM, https://host.tld/example.tld or https://host.tld/example doesn't work. Is the solution connected to enabling virtual host preview in Apache?

Any pointers would be appreciated.

Mon, 08/04/2008 - 04:35
David.Strejc

Due to RFC you MUST have separated IPs for separated virtualhosts. You of course can force virtualmin to break this RFC rule.

You can make your virtual server template to each http virtual host has its own certificate. But I don't think that Jammie and Joe would recommend it.

Mon, 08/04/2008 - 07:32 (Reply to #2)
ronald
ronald's picture

there has been several discussion about this and I think I recall that some sort of solution is in the works

Tue, 08/05/2008 - 06:50 (Reply to #3)
webwzrd

<div class='quote'>Read up about SSL certs and website cross scripting about the dangers of ill-formed ssl sharing.

The fact is that it completely violates RFC and not one PCI, https://www.pcisecuritystandards.org/, place is ever going to allow shared shared ssl site. </div>
Alright... no problem.

I was up until recently using the most current version of Ensim Pro and the ability to easily use a shared certificate was built right into the control panel. Ensim is by no means my hero and in this case looks like it gave me the wrong impression.

Mon, 08/04/2008 - 04:45
webwzrd

<i>... I see</i>
So it's not that I have missed it, looks like you are saying VM is not designed to use a shared host certificate for virtual hosts, as in https://host.tld/example.tld/.

Geeze, been doing it that way for years for a small handful of domains.

Mon, 08/04/2008 - 09:04 (Reply to #5)
Joe
Joe's picture

<div class='quote'>Geeze, been doing it that way for years for a small handful of domains. </div>

OK, but we're not going to encourage folks to use SSL insecurely.

There is a protocol for dealing with name-based SSL hosts (which is implemented in the non-standard module mod_gnutls for Apache), but a large percentage of clients don't support the protocol (and those that do have only added it in the very recent past, so lots of users will be out in the cold).

This has been discussed <i>numerous</i> times in the forums. Basically, we're not going to stop you from doing it wrong...but we're not going to help either. ;-)

We do plan to add support for multi-domain certificates in the near future. But it's not the same thing you've been doing with other control panels for years...the thing you've been doing with other control panels is a bad idea and shouldn't be encouraged by anyone.

--

Check out the forum guidelines!

Mon, 08/04/2008 - 07:43
webwzrd

It seems that with other control panels, it's tied into being able to preview the website via host/domain and then to take advantage of the shared cert, you just add the &quot;s&quot;.

Mon, 08/04/2008 - 09:19
webwzrd

Okay... didn't realize this was going to be such a controversial issue. Up until now, I didn't have a clue that using a shared certificate was such a bad idea.

I am fully committed to Vitualmin being the control panel of choice. I couldn't even begin to write down all the features that make it overwhelmingly superior to anything else I've used. I will take steps to secure the needed sites using their own cert and IP.

Thanks

Tue, 08/05/2008 - 06:34 (Reply to #8)
sgrayban

Read up about SSL certs and website cross scripting about the dangers of ill-formed ssl sharing.

The fact is that it completely violates RFC and not one PCI, https://www.pcisecuritystandards.org/, place is ever going to allow shared shared ssl site.

Topic locked