SSL with virtual domains on 1 IP?
Andrew Morgan
morgan at orst.edu
Mon Feb 14 14:59:43 EST 2005
On Sat, 12 Feb 2005, Uwe Menges wrote:
> Hello,
>
> I'd like to use TLS/SSL with cyrus' virtual domains, but have only one
> IP available. I'd also like not to set up two different ports.
>
> Is it possible to use different certificates for the different domains?
> If yes, how?
>
> The documentation mentions only [servicename]_tls_cert_file and
> [servicename]_tls_key_file but as already written I'd rather prefer a
> single port/service for cyrus.
>
> I'm using Debian/stable cyrus22 backport (2.2.10-1) with exim4
> (4.34-9.backports.org.1).
>
> Yours, Uwe
My understanding based on my experiences with Apache is that this is not
possible. The reason is because the SSL handshake between the client and
server is done before any other communication. The server doesn't know
which domain the client is trying to connect to, so it can't know which
certificate to present.
In Apache, you must run on different IP addresses or different ports to
use multiple certificates. I believe the same underlying reasons apply
here as well.
Andy
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list