I believe this is a FAQ, and pretty well described on the pound website.

In short, what you're trying to do is not possible. SSL is negotiated *BEFORE* HTTP request headers are sent, at which point you cannot switch certificates.

/Eirik

On Apr 12, 2008, at 21:20, HF wrote:
Hello


I'm trying to set up a pound that can handle two domains with different certificates.
Both domains are pointing to same ip. I want pound to answer with correct ssl-cert
depending on the HeadRequire parameter.

Ie not getting the "This certificate belongs to domain1.com" when I visit the other one.

I get the question to enter passphrase for both but on the second one it always fails.
Switching order gives the same result. Using only one cert works perfect.

Any thoughts or solutions?


Thanks in advance
/HF


The configfile I'm testing with:


ListenHTTPS
   Address 192.168.1.9
   Port    443
   Cert    "/etc/pki/tls/certs/domain1.pem"

 Service

   HeadRequire "Host: .*domain1.com.*"

   BackEnd
     Address 192.168.1.12
     Port    80
   End

   Session
     Type  IP
     TTL  300
   End
 End

End


ListenHTTPS
   Address 192.168.1.9
   Port    443
   Cert    "/etc/pki/tls/certs/domain2.pem"

 Service

   HeadRequire "Host: .*domain2.com.*"

   BackEnd
     Address 192.168.1.12
     Port    80
   End

   Session
     Type  IP
     TTL  3000
   End
 End

End




--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.