SSL certificates and virtual domains

Yuri Pimenov icct at
Sat Aug 30 02:26:42 EDT 2003

On Fri, Aug 29, 2003 at 02:15:31PM -0400, Ken Murchison wrote:
> Wil Cooley wrote:
> >On Fri, 2003-08-29 at 08:41, Yuri Pimenov wrote:
> >
> >>Hello.
> >>
> >>Im going to try out cyrus22 with virtual domains. For example, i have to
> >>fqdns pointing to single ip address. Say, and
> >> How the problem: how to create a certificate which
> >>will suit both domains? Of course i can set CN of my certificate to the
> >>ip address of my cyrus22 machine but this is very inconvinient for
> >>users. Ideas, suggestions?
> >
> >
> >You can't, in the same way that you can't host multiple SSL-protected
> >web sites on the same IP address with the same cert.  SSL happens before
> >the higher-level protocol is able to negotiate hostname-based services,
> >so it can only go on IP address and return one cert per address.
> >
> >TLS promises to solve this problem, being negotiated
> >in-application-protocol, but it's not entirely there yet.  And anyway,
> >IMAP itself has no notion of hostname-based service negotiation.
> Actually, TLS intends to solve this within TLS itself, not the 
> application protocol.  See RFC 3546, section 3.1.
Good news Ken. The only question is what crypto libs and/or MUAs have
and make use of this "server_name" extension?
Yuri Pimenov

More information about the Info-cyrus mailing list