SSL certificates and virtual domains

Yuri Pimenov icct at nnov.stelt.ru
Sat Aug 30 03:51:23 EDT 2003


On Sat, Aug 30, 2003 at 10:26:42AM +0400, Yuri Pimenov wrote:
> On Fri, Aug 29, 2003 at 02:15:31PM -0400, Ken Murchison wrote:
> > 
> > 
> > Wil Cooley wrote:
> > 
> > >On Fri, 2003-08-29 at 08:41, Yuri Pimenov wrote:
> > >
> > >>Hello.
> > >>
> > >>Im going to try out cyrus22 with virtual domains. For example, i have to
> > >>fqdns pointing to single ip address. Say, imap.example1.com and
> > >>imap.example2.com. How the problem: how to create a certificate which
> > >>will suit both domains? Of course i can set CN of my certificate to the
> > >>ip address of my cyrus22 machine but this is very inconvinient for
> > >>users. Ideas, suggestions?
> > >
> > >
> > >You can't, in the same way that you can't host multiple SSL-protected
> > >web sites on the same IP address with the same cert.  SSL happens before
> > >the higher-level protocol is able to negotiate hostname-based services,
> > >so it can only go on IP address and return one cert per address.
> > >
> > >TLS promises to solve this problem, being negotiated
> > >in-application-protocol, but it's not entirely there yet.  And anyway,
> > >IMAP itself has no notion of hostname-based service negotiation.
> > 
> > Actually, TLS intends to solve this within TLS itself, not the 
> > application protocol.  See RFC 3546, section 3.1.
> Good news Ken. The only question is what crypto libs and/or MUAs have
> and make use of this "server_name" extension?

One more little question. Lets imagine what i have distinct ip address
for each domain name. How can i configure cyrus22 to feed client with
certificate based on ip address client connected to? Other possible
option is a port number of connection. Something like

tls_cert_file: /etc/ssl/certs/$ip/cyrus.cert or
tls_cert_file: /etc/ssl/certs/$port/cyrus.cert

would be very nice to have.
-- 
Yuri Pimenov





More information about the Info-cyrus mailing list