SSL certificates and virtual domains

Ken Murchison ken at
Fri Aug 29 14:15:31 EDT 2003

Wil Cooley wrote:

> On Fri, 2003-08-29 at 08:41, Yuri Pimenov wrote:
>>Im going to try out cyrus22 with virtual domains. For example, i have to
>>fqdns pointing to single ip address. Say, and
>> How the problem: how to create a certificate which
>>will suit both domains? Of course i can set CN of my certificate to the
>>ip address of my cyrus22 machine but this is very inconvinient for
>>users. Ideas, suggestions?
> You can't, in the same way that you can't host multiple SSL-protected
> web sites on the same IP address with the same cert.  SSL happens before
> the higher-level protocol is able to negotiate hostname-based services,
> so it can only go on IP address and return one cert per address.
> TLS promises to solve this problem, being negotiated
> in-application-protocol, but it's not entirely there yet.  And anyway,
> IMAP itself has no notion of hostname-based service negotiation.

Actually, TLS intends to solve this within TLS itself, not the 
application protocol.  See RFC 3546, section 3.1.

Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--

More information about the Info-cyrus mailing list