SSL certificates and virtual domains
Yuri Pimenov
icct at nnov.stelt.ru
Sat Aug 30 02:26:42 EDT 2003
On Fri, Aug 29, 2003 at 02:15:31PM -0400, Ken Murchison wrote:
>
>
> Wil Cooley wrote:
>
> >On Fri, 2003-08-29 at 08:41, Yuri Pimenov wrote:
> >
> >>Hello.
> >>
> >>Im going to try out cyrus22 with virtual domains. For example, i have to
> >>fqdns pointing to single ip address. Say, imap.example1.com and
> >>imap.example2.com. How the problem: how to create a certificate which
> >>will suit both domains? Of course i can set CN of my certificate to the
> >>ip address of my cyrus22 machine but this is very inconvinient for
> >>users. Ideas, suggestions?
> >
> >
> >You can't, in the same way that you can't host multiple SSL-protected
> >web sites on the same IP address with the same cert. SSL happens before
> >the higher-level protocol is able to negotiate hostname-based services,
> >so it can only go on IP address and return one cert per address.
> >
> >TLS promises to solve this problem, being negotiated
> >in-application-protocol, but it's not entirely there yet. And anyway,
> >IMAP itself has no notion of hostname-based service negotiation.
>
> Actually, TLS intends to solve this within TLS itself, not the
> application protocol. See RFC 3546, section 3.1.
Good news Ken. The only question is what crypto libs and/or MUAs have
and make use of this "server_name" extension?
--
Yuri Pimenov
More information about the Info-cyrus
mailing list