SSL certificates and virtual domains
Ken Murchison
ken at oceana.com
Fri Aug 29 14:15:31 EDT 2003
Wil Cooley wrote:
> On Fri, 2003-08-29 at 08:41, Yuri Pimenov wrote:
>
>>Hello.
>>
>>Im going to try out cyrus22 with virtual domains. For example, i have to
>>fqdns pointing to single ip address. Say, imap.example1.com and
>>imap.example2.com. How the problem: how to create a certificate which
>>will suit both domains? Of course i can set CN of my certificate to the
>>ip address of my cyrus22 machine but this is very inconvinient for
>>users. Ideas, suggestions?
>
>
> You can't, in the same way that you can't host multiple SSL-protected
> web sites on the same IP address with the same cert. SSL happens before
> the higher-level protocol is able to negotiate hostname-based services,
> so it can only go on IP address and return one cert per address.
>
> TLS promises to solve this problem, being negotiated
> in-application-protocol, but it's not entirely there yet. And anyway,
> IMAP itself has no notion of hostname-based service negotiation.
Actually, TLS intends to solve this within TLS itself, not the
application protocol. See RFC 3546, section 3.1.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the Info-cyrus
mailing list