SSL certificates and virtual domains

Ken Murchison ken at oceana.com
Fri Aug 29 14:15:31 EDT 2003



Wil Cooley wrote:

> On Fri, 2003-08-29 at 08:41, Yuri Pimenov wrote:
> 
>>Hello.
>>
>>Im going to try out cyrus22 with virtual domains. For example, i have to
>>fqdns pointing to single ip address. Say, imap.example1.com and
>>imap.example2.com. How the problem: how to create a certificate which
>>will suit both domains? Of course i can set CN of my certificate to the
>>ip address of my cyrus22 machine but this is very inconvinient for
>>users. Ideas, suggestions?
> 
> 
> You can't, in the same way that you can't host multiple SSL-protected
> web sites on the same IP address with the same cert.  SSL happens before
> the higher-level protocol is able to negotiate hostname-based services,
> so it can only go on IP address and return one cert per address.
> 
> TLS promises to solve this problem, being negotiated
> in-application-protocol, but it's not entirely there yet.  And anyway,
> IMAP itself has no notion of hostname-based service negotiation.

Actually, TLS intends to solve this within TLS itself, not the 
application protocol.  See RFC 3546, section 3.1.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp





More information about the Info-cyrus mailing list