[Pkg-openssl-devel] Bug#557261: Bug#557261: libssl0.9.8: Updating from version k-5 to k-6 breaks client auth with stunnel4

Vladimir Volovich vvv at vsu.ru
Mon Jan 11 05:58:20 UTC 2010


"KR" == Kurt Roeckx writes:

 KR> As I understand it, it will not do the renegotation if you do it
 KR> for the whole virtual host.

 >> but wouldn't it cause prompts for certificate for the whole virtual
 >> host? i'd like to protect (with certificate validation) only part of
 >> the site, e.g. the admin interface, leaving the rest of the site for
 >> general users. i.e. the requirement to put the certificate
 >> validation for the whole virtual host requires creating a separate
 >> website with a dedicated IP address, which is not always desirable.

 KR> I'm not sure a new IP address is required for it.

with the ordinary SSL there's indeed a problem with serving multiple
name-based SSL hosts on the same IP (and port). (Because the SSL
handshake takes place before the expected hostname is sent to the
server, the server doesn't know which certificate to present when the
connection is made. So the hosts will have to share the same SSL
certificate, which in general requires to serve them on separate IPs or
ports, to avoid certificate mismatch warning from browser.)

but it appears that there's some new extension to TLS, called SNI,
which should allow to work around this problem:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

anyway, there's still at least the inconvenience to separate the
client-certificate-protected area into the separate virtual host (and
thus modify DNS), but at least, it seems, there's no need to serve it
from a different IP.

Best,
v.





More information about the Pkg-openssl-devel mailing list