MyFinding: Multiple SSL on One Apache Server Problems

Sunday, November 27 Leave a Comment

Main Problem:
Want to configure 2 security SSL cert on single Apache Server. At the beginning, seems works but it actually got problems. When i'm open second domain, it still refer to primary digital certs. Still finding solution for the problems.


Below are some of my finding:

“A few things to keep in mind: You can have multiple virtual hosts on the same server. You can have numerous name-based virtual hosts on the same IP address. You can also have numerous name-based virtual hosts and one (1) secure virtual host on the same IP. But - you cannot have multiple secure virtual hosts on the same IP. The question that so many ask: Why? The answer is: SSL works below the application layer. Name based hosts are not defined until the application layer.”

http://www.tldp.org/HOWTO/SSL-RedHat-HOWTO-4.html

“One aspect of SSL enhanced HTTP transmissions are that they are more resource intensive than the standard HTTP protocol, so a secure server cannot serve as many pages per second. For this reason it is often a good idea to minimize the information available from the secure server, especially on a high traffic Web site.”

Important
Do not use name-based virtual hosts in conjunction with a secure Web server as the SSL handshake occurs before the HTTP request identifies the appropriate name-based virtual host. Name-based virtual hosts only work with the non-secure Web server.

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/
ref-guide/s1-apache-virtualhosts.htm
“Note the port number following the IP address in the VirtualHost tag. You can only have one SSL enabled VirtualHost per IP address. Enter your domain's info in this format and you're done.”

http://www.incyte-studios.com/ssl.htm

DNS Issue
“This page could be summarized with the statement: don't require Apache to use DNS for any parsing of the configuration files. If Apache has to use DNS to parse the configuration files then your server may be subject to reliability problems (it might not boot), or denial and theft of service attacks (including users able to steal hits from other users).”

http://httpd.apache.org/docs/1.3/dns-caveats.html


On Friday 02 March 2001 09:53, Andreas Edler wrote:
> > is it possible to have different certificates for every virtual host on
> > apache ?
>
> yes, of course. But only with IP based virtual hosts, not with
> namebased virtual hosts.

http://lists.debian.org/debian-isp/2001/03/msg00019.html



“SSL cannot support two certificates on the same IP address and port. Use another IP address or another port.”

http://www.lists.aldigital.co.uk/apache-ssl/msg05155.html


“To run more than one Certificate Authority on the Apache web server the configuration must look something like the details below. Please note the SSLCACertificateFile lines referencing 2 different bundle files which give 2 different root authorities”

https://trustis-ssl.trustis.com/support/ssl-server/
cert-install/apache_multiple_ca.html


p/s: any suggestion?

1 comments »

  • Jay said:  

    I don;t know what happend to the board on ur site, but this is my respponse to tq:


    "TQ, no, i don't i have thousands of hits, but not a lot of comments. i love this board, and i wished the 1 on my site would get filled up. bless u guys."