[clue-tech] Multiple SSL VHosts in Apache on same port and IP

Mike Staver staver at fimble.com
Sun Mar 8 15:02:29 MDT 2009


David L. Anselmi wrote:
> Collins Richey wrote:
>> On Sun, Mar 8, 2009 at 7:57 AM, Jed S. Baer <cluemail at jbaer.cotse.net> 
>> wrote:
>>> On Sat, 07 Mar 2009 23:20:00 -0700
>>> Mike Staver wrote:
>>>
>>>> [...] Does anyone know if this is supported in a recent Linux
>>>> distros?
>>
>> After reading the blog, it sounds like this is potentially a big 
>> security hole.
> 
> It sounds like it's potentially a big security hole for those who 
> already have a potentially big security hole.
> 
> To answer the original question, openssl 0.9.9 isn't out yet, but 
> mod_gnutls is.

Yeah, to me it sounded like a big hole for those who were using the same 
server to spit out Internet and Intranet based sites.  I'm not sure it 
would affect what I'd be trying to do since all my sites are internet 
facing.

All I know is that I'm more than ready for this kind of tech.  Going 
back to 2000, I've tried many different ways to hack around having 
multiple websites with certs on them.  earlier this decade, I would just 
get one of those wild card certs and use it for load balancing. The 
issue was that when one server would go down, another would take it's 
place. I had copies of all the certs and keys on each web server for 
each FQDN, and at first I couldn't figure out why only the top level 
cert was going out for all of them.  Once I learned of this problem, I 
just used the wildcard cert and the problems went away.  The minute you 
want to host different web sites with different domain names that all 
use SSL, you're sunk.

I think most hosting companies get around this with multiple IP 
addresses. I think even if you're on the same server, it will be fine as 
long as each domain name has it's own dedicated IP.

-- 

                                 -Mike Staver
                                  staver at fimble.com



More information about the clue-tech mailing list