/ Zope / Apsis / Pound Mailing List / Archive / 2008 / 2008-08 / multiple ssl certificates on one official ip address

[ << ] [ >> ]

[ Session handling with ASP/ASP.NET / "Alfonso ... ] [ Pound configuration problems / "Brent ... ]

multiple ssl certificates on one official ip address
chasm <chasm(at)gmx.de>		 2008-08-13 11:05:10 [ FULL ] 
Hi all,

we are using pound 2.4.2-1 on a red hat enterpise linux system.
We configured pound to balance between some similar backends and for 
some special services, pound should handle the ssl handshakes and 
redirect directly to the special backend.
All works fine.

One of our customers resells our webservices to its customers. Therefor 
a subdomain on the domain of our customer was created.
for example:

serviceName.ourCustomer.com has a dns a-entry on one official ip address 
of our pound system.
Our customer also created a ssl certificate for this subdomain (we 
generated the key and csr file on our backend system).
Pound already listens on this official ip address with an https listener 
and our own certificate.

Is there any way to tell pound to handle the ssl certificates based on 
the requested domain in the request header?
I thought about redirecting within the existing https listener to a new 
https listener with the new certificate, but redirecting could only be 
done after https handshake, right?

Thanks a lot and have a nice day

Matthias
Germany
Re: [Pound Mailing List] multiple ssl certificates on one official ip address
Rick Blundell <rickb(at)rapidvps.com>		 2008-08-13 21:48:53 [ FULL ] 
chasm wrote:
 >Is there any way to tell pound to handle the ssl certificates based on 
the requested domain in the request header?

No.

http://www.apsis.ch/pound/

" Quite often we get inquiries about Pound's ability to do virtual 
hosting with HTTPS. In order to lay this matter to rest, let me say:

HTTPS does not allow virtual hosting

This is not a limitation of Pound, but of HTTPS - no Web server or proxy 
are able to do it due to the nature of the beast.

...
..
.
"

Cheers,
Rick Blundell
Re: [Pound Mailing List] multiple ssl certificates on one official ip address
John La Rooy <johnlr(at)fitness2live.com.au>		 2008-08-14 01:37:11 [ FULL ] 
chasm wrote:[...]
Since it is a subdomain a wildcard certificate.
If the domain is foo.com then you get a wildcard cert for *.foo.com
The one certificate will work ok for www.foo.com, bar.foo.com, 
baz.foo.com but unfortunately it wont work for plain old foo.com

Probably you would have an redirect say from http://foo.com to 
https://www.foo.com
But users will still see a cert warning if they go to https://foo.com
[...]
Re: [Pound Mailing List] multiple ssl certificates on one official ip address
chasm <chasm(at)gmx.de>		 2008-08-14 08:45:26 [ FULL ] 
Rick Blundell schrieb:[...]

thanks for the hint. I read this too when i first install and set up 
pound a while ago.
But the ssl.conf file of apache brought me off the track that this could 
be handled...

So we have to use another official ip address for this domain.

Sorry for this noob question.


best regards
Matthias
Re: [Pound Mailing List] multiple ssl certificates on one official ip address
Michael Best <mbest(at)pendragon.org>		 2008-08-14 17:42:09 [ FULL ] 
chasm wrote:[...][...]

Actually there is some movement in this area.   SNI allows for multiple 
SSL on a single IP.  It uses TLS.  It's quite new I hadn't heard of it 
until recently.    Support in IE7 (on vista only maybe), Opera 8, 
Firefox since 2.x

http://en.wikipedia.org/wiki/Server_Name_Indication

-Mike
MailBoxer