Multiple Certificates, 1 Web Server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple Certificates, 1 Web Server

Hector Santos-3
For our web server, Wildcat! Web Server,  it loads 1 SSL certificate for
the web server.  

I have a need to allow multiple SSL certificate for the same web server.
This is not a virtual domain need.  I don't fully understand the customer
requirement, but a customer wishes to have use multple SSL certificate and
assign them to their clients to use.  

So for one group, they will give them a HTTPS URL for domainX, and for
another group, they will give them another HTTP URL for DomainY,  but they
will be hitting the same IP server.

Again, I don't fully understand why they want this, but I think its more
about asthetics than security; not showing a central DOMAIN information for
their different group of clients.

We are using OPENSSL in our server and I wondering if this is already
possible.  

I guess the question is can I "chain" multiple SSL certificates so that
when the connection made, it checks more than one SSL certificate?

If so, any doc/code example showing how to accomplish this would be
appreciated.

Thanks In Advance.

---
Hector
 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Chris Fowler-2
On Mon, 2006-03-13 at 08:35 -0500, [hidden email] wrote:
>
> So for one group, they will give them a HTTPS URL for domainX, and for
> another group, they will give them another HTTP URL for DomainY,  but
> they
> will be hitting the same IP server.

sounds like a virtual domain.  If you have 2 domains hitting the same
web server is that not virtual hosting?


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Hector Santos-3
In reply to this post by Hector Santos-3
On 3/13/06 8:43 AM, [hidden email] wrote to All:

> On Mon, 2006-03-13 at 08:35 -0500, [hidden email] wrote:
> >
> > So for one group, they will give them a HTTPS URL for domainX, and for
> > another group, they will give them another HTTP URL for DomainY,  but
> > they will be hitting the same IP server.
>
> sounds like a virtual domain.  If you have 2 domains hitting the same
> web server is that not virtual hosting?

I would think so. But they are using the same IP address.

Our web server, per IP,  is only reading 1 CRT and 1 KEY file that was
created for the single common name; domain used by the customer when he got
the certificate.

They have 1 web server setup.  According to them, they had multiple domains
going to the same IP NON-SSL web side.   This is purely based on having
multiple A records to the same IP address.   But now when they turned on
SSL, with one certificate, they are running into browser "domain mismatch"
conflicts. So I was asked how to resolve this.  

If they get multiple certificates, one per common name, but each going to
the same IP,  my web server is not seeing the difference.

I think the issue is me not having the technique for preparing OPENSSL to
handle it.

Can you put multiple certificates and keys into one single CRT?

I tried this, and my two test domains going to the same IP used the first
certificate/key pair in the file.

Does this make sense?  Beating a dead horse??  Customer must switch to
using virtual domains with multiple IPs?

Thanks

---
hector
 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Bernhard Fröhlich-2
[hidden email] wrote:

> On 3/13/06 8:43 AM, [hidden email] wrote to All:
>
>  
>> On Mon, 2006-03-13 at 08:35 -0500, [hidden email] wrote:
>>    
>>> So for one group, they will give them a HTTPS URL for domainX, and for
>>> another group, they will give them another HTTP URL for DomainY,  but
>>> they will be hitting the same IP server.
>>>      
>> sounds like a virtual domain.  If you have 2 domains hitting the same
>> web server is that not virtual hosting?
>>    
>
> I would think so. But they are using the same IP address.
>
> Our web server, per IP,  is only reading 1 CRT and 1 KEY file that was
> created for the single common name; domain used by the customer when he got
> the certificate.
>  
> They have 1 web server setup.  According to them, they had multiple domains
> going to the same IP NON-SSL web side.   This is purely based on having
> multiple A records to the same IP address.   But now when they turned on
> SSL, with one certificate, they are running into browser "domain mismatch"
> conflicts. So I was asked how to resolve this.  
>
> If they get multiple certificates, one per common name, but each going to
> the same IP,  my web server is not seeing the difference.
>
> I think the issue is me not having the technique for preparing OPENSSL to
> handle it.
>
> Can you put multiple certificates and keys into one single CRT?
>
> I tried this, and my two test domains going to the same IP used the first
> certificate/key pair in the file.
>
> Does this make sense?  Beating a dead horse??  Customer must switch to
> using virtual domains with multiple IPs?
>  
I don't think you can use SSL make multiple (virtual) servers work on
one IP-Address and Port. Virtual Servers work with a HTTP 1.1 Header
fierld (the "Host:"-Header) whereas SSL Handshake takes place before any
HTTP headers are exchanged. So the server has no way to decide which
certificate to present during SSL handshake and the browser will
complain (and typically won't even start to send the HTTP headers) if
the server sends the wrong one.

I think it should work if you can bind the virtual servers to different
ports, though I have not tried this myself. Using different IP-Addresses
for the virtual servers should be no problem, I have done this multiple
times using IIS.
> Thanks
>
> ---
> hector
>  
Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Hector Santos-3
In reply to this post by Hector Santos-3
Thanks.

Pretty much confirm what I thought.  The OPENSSL API is so rich and I
havn't touch it (web server) in a while, I figured it wouldn't hurt to ask.

Beating a dead horse. :-)    Thanks again.

---
Hector

On 3/13/06 9:46 AM, Ted wrote:

> I don't think you can use SSL make multiple (virtual) servers work on
> one IP-Address and Port. Virtual Servers work with a HTTP 1.1 Header
> fierld (the "Host:"-Header) whereas SSL Handshake takes place before any
> HTTP headers are exchanged. So the server has no way to decide which
> certificate to present during SSL handshake and the browser will
> complain (and typically won't even start to send the HTTP headers) if
> the server sends the wrong one.
>
> I think it should work if you can bind the virtual servers to different
> ports, though I have not tried this myself. Using different IP-Addresses
> for the virtual servers should be no problem, I have done this multiple
> times using IIS.
>
> Hope it helps.
> Ted
> ;)
 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Peter Sylvester-3
You comments are right, but there is sole evolution.

See my mail from Feb 6, the openssl library contains a patch for the TLS
extension
of servername (which still needs to be implemented in browsers), but at
least the following patch for apache2 (working with a current openssl
snapshot
not only support the TLS servername extension but also a renegotiation when
the Host: is not "the default" one and you don't have a TLS extension.
The effects may be somewhat surprising.

Hello,

I just have put together the small patch for apache 2.2.0 which allows
to use the sernername extension
logic in the development snapshot in order to select a different ssl
context, and also to
renegotiate if the vhost indicated by Host: has a different SSL_ctx
(e.g. certificate).

The patch also includes a little "const" fix due the SSL_method change.

See  
http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch
and http://www.edelweb.fr/EdelKey/  for the background story

Have fun
Peter

[hidden email] wrote:

> Thanks.
>
> Pretty much confirm what I thought.  The OPENSSL API is so rich and I
> havn't touch it (web server) in a while, I figured it wouldn't hurt to ask.
>
> Beating a dead horse. :-)    Thanks again.
>
> ---
> Hector
>
> On 3/13/06 9:46 AM, Ted wrote:
>
>  
>> I don't think you can use SSL make multiple (virtual) servers work on
>> one IP-Address and Port. Virtual Servers work with a HTTP 1.1 Header
>> fierld (the "Host:"-Header) whereas SSL Handshake takes place before any
>> HTTP headers are exchanged. So the server has no way to decide which
>> certificate to present during SSL handshake and the browser will
>> complain (and typically won't even start to send the HTTP headers) if
>> the server sends the wrong one.
>>
>> I think it should work if you can bind the virtual servers to different
>> ports, though I have not tried this myself. Using different IP-Addresses
>> for the virtual servers should be no problem, I have done this multiple
>> times using IIS.
>>
>> Hope it helps.
>> Ted
>> ;)
>>    
>  
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>
>  

--
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Jorey Bump
In reply to this post by Hector Santos-3
[hidden email] wrote:

> On 3/13/06 8:43 AM, [hidden email] wrote to All:
>
>> On Mon, 2006-03-13 at 08:35 -0500, [hidden email] wrote:
>>> So for one group, they will give them a HTTPS URL for domainX, and for
>>> another group, they will give them another HTTP URL for DomainY,  but
>>> they will be hitting the same IP server.
>> sounds like a virtual domain.  If you have 2 domains hitting the same
>> web server is that not virtual hosting?
>
> I would think so. But they are using the same IP address.

Yes, that's probably the most common type of virtual host. Virtual hosts
come in various flavors. Think of it this way:

If a web server can only serve resources for a single entity by binding
to a single IP:PORT, it does not support virtual hosts.

If a web server can serve resources for multiple entities by binding to
a separate IP:PORT for each entity, it supports IP-based virtual hosts.

If a web server can serve resources for multiple entities on a single
IP:PORT by varying the resources served based on the HTTP Host: header,
it supports name-based virtual hosts.

An entity is usually a host (www.example.com, www.example.net) but can
also be an IP address (192.168.1.2) or something else altogether (you
can pass any string in the Host: header, for example). It depends on the
context.

Apache supports both IP- and name-based virtual hosts.

> Our web server, per IP,  is only reading 1 CRT and 1 KEY file that was
> created for the single common name; domain used by the customer when he got
> the certificate.

That is a current limitation of SSL, one key/cert (or CN) per IP:PORT.

> They have 1 web server setup.  According to them, they had multiple domains
> going to the same IP NON-SSL web side.   This is purely based on having
> multiple A records to the same IP address.   But now when they turned on
> SSL, with one certificate, they are running into browser "domain mismatch"
> conflicts. So I was asked how to resolve this.  

You can't, until some kind of name-based SSL handshake is implemented,
or until CAs and clients support multiple domains in a certificate.

> If they get multiple certificates, one per common name, but each going to
> the same IP,  my web server is not seeing the difference.

Currently, the simplest solution is to use a separate IP for each SSL
host (CN).


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Goetz Babin-Ebell
In reply to this post by Hector Santos-3
[hidden email] schrieb:
> Pretty much confirm what I thought.  The OPENSSL API is so rich and I
> havn't touch it (web server) in a while, I figured it wouldn't hurt to ask.

An alternative would be one host certificate with multiple
subject alt names.

This way you can issue a certificate that is good for more than
one host name.

But does anybody know of an "official" CA that issues certificates
with more than one subject alt name ?

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Multiple Certificates, 1 Web Server

Victor Duchovni
On Mon, Mar 13, 2006 at 09:27:49PM +0100, Goetz Babin-Ebell wrote:

> [hidden email] schrieb:
> > Pretty much confirm what I thought.  The OPENSSL API is so rich and I
> > havn't touch it (web server) in a while, I figured it wouldn't hurt to ask.
>
> An alternative would be one host certificate with multiple
> subject alt names.
>
> This way you can issue a certificate that is good for more than
> one host name.
>
> But does anybody know of an "official" CA that issues certificates
> with more than one subject alt name ?

Verisign (Issuer: C=US, O=RSA Data Security, Inc., OU=Secure
Server Certification Authority) issues certificates with up to 20
Subject Alternive Name:DNS entries.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]