SSL certificates and virtual domains
ken at oceana.com
Fri Aug 29 14:15:31 EDT 2003
Wil Cooley wrote:
> On Fri, 2003-08-29 at 08:41, Yuri Pimenov wrote:
>>Im going to try out cyrus22 with virtual domains. For example, i have to
>>fqdns pointing to single ip address. Say, imap.example1.com and
>>imap.example2.com. How the problem: how to create a certificate which
>>will suit both domains? Of course i can set CN of my certificate to the
>>ip address of my cyrus22 machine but this is very inconvinient for
>>users. Ideas, suggestions?
> You can't, in the same way that you can't host multiple SSL-protected
> web sites on the same IP address with the same cert. SSL happens before
> the higher-level protocol is able to negotiate hostname-based services,
> so it can only go on IP address and return one cert per address.
> TLS promises to solve this problem, being negotiated
> in-application-protocol, but it's not entirely there yet. And anyway,
> IMAP itself has no notion of hostname-based service negotiation.
Actually, TLS intends to solve this within TLS itself, not the
application protocol. See RFC 3546, section 3.1.
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the Info-cyrus