Just wondering about multiple website SSL certificates

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
golowenow
-


Joined: 29 Apr 2004
Posts: 35
Location: Washington state

PostPosted: Thu Jul 05, 2007 5:44 am    Post subject: Just wondering about multiple website SSL certificates Reply with quote

I run X2 with 2 completely different websites. In other words two separate domains. Am wondering if the new version of Abyss will support multiple SSL certificates and be able to assign the appropriate certificate for the requested website? If this is not so then perhaps that would be a suggestion for the new version.
Back to top View user's profile Send private message Visit poster's website
Moxxnixx
-


Joined: 21 Jun 2003
Posts: 1226
Location: Florida

PostPosted: Thu Jul 05, 2007 9:22 am    Post subject: Reply with quote

Hi golowenow,
Yes, you will be able to use multiple certificates for different domains with X2.
This feature is in the beta now.
Back to top View user's profile Send private message Visit poster's website
golowenow
-


Joined: 29 Apr 2004
Posts: 35
Location: Washington state

PostPosted: Thu Jul 05, 2007 12:04 pm    Post subject: Reply with quote

Thank you very kindly for the quick response! Abyss rocks!
Back to top View user's profile Send private message Visit poster's website
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Thu Jul 05, 2007 4:39 pm    Post subject: Re: Just wondering about multiple website SSL certificates Reply with quote

golowenow wrote:
I run X2 with 2 completely different websites. In other words two separate domains. Am wondering if the new version of Abyss will support multiple SSL certificates and be able to assign the appropriate certificate for the requested website? If this is not so then perhaps that would be a suggestion for the new version.


Unfortunately the answer is not a full "yes". It depends. Actually, there is a limitation in the SSL protocol itself to have only a single certificate on a given port/IP address.

So the solutions to have two SSL websites on the same computer are the following:
* Both hosts will not share the same port/IP. In other words, you can have each of them use its own port or have both of them using the same port but configure "Bind to IP" to a different IP address (assuming you have two network cards or two different routers).
* You can purchase a single certificate with two different domain names in it (some certification authorities support that feature and can generate such certificates).
* If both domain names differ slightly (for example mail.mysite.com and www.mysite.com), you can get a single certificate for *.mysite.com and use it for both of them.

Please find below the explanation of this SSL limitation which affects all web servers on the market:
* When you type https://www.mysite.com/path/to/page.html in your browser, it will contact the IP corresponding of www.mysite.com on port 443 (the default HTTPS port).
* As soon as the connection is accepted, the SSL negciation starts: the browser will send a list of encryption systems it handles to the server, and the server will choose one of them for subsequent communications.
* Next, the server will send the SSL certificate to the browser.
* The browser will decode the certificate, validate it (by verifying some checksums)
* If everything is fine, the real HTTP dialog can start.
* The browser will send the following request (using the the public key contained in the SSL certificate already exchanged):

Code:
GET /path/to/page.html HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla 5/0



Note that it's only at that stage that the Host header has been sent by the browser. It's already late for the server to change the SSL certificate.

That's why it is primordial that the SSL certificate on the port 443 in that case matches with www.mysite.com . Otherwise, the browser will report that the name of domain in the certificate received by the server is not the same as the one you have tried accessing.

Hopefully, things are changing and a new version of SSL (not yet standardized) will overcome that limitation. But it is not yet supported by most browsers. So we have to wait for a few years until more browsers with that feature will become widely available.
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Moxxnixx
-


Joined: 21 Jun 2003
Posts: 1226
Location: Florida

PostPosted: Thu Jul 05, 2007 9:15 pm    Post subject: Reply with quote

I'm only using 1 certificate, so I wasn't aware of these limitations.
Thanks for clarifying.
Back to top View user's profile Send private message Visit poster's website
JOhnMag4u
-


Joined: 16 Jul 2007
Posts: 7
Location: Brodheadsville, PA

PostPosted: Mon Jul 16, 2007 8:42 pm    Post subject: Using Multiple IPs Reply with quote

When you say use 2 IP addresses, do you mean 2 different local address or two different external address?
_________________
JohnMag4u.com
Back to top View user's profile Send private message Visit poster's website AIM Address
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Mon Jul 16, 2007 9:31 pm    Post subject: Re: Using Multiple IPs Reply with quote

JOhnMag4u wrote:
When you say use 2 IP addresses, do you mean 2 different local address or two different external address?


If your server is to be accessed from people outside your LAN, then you need 2 different external addresses.

If your server is to be used locally only, 2 local IP addresses are required (this is usually easy to have as you'll only have to configure your network card to have 2 IPs).
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
rrinc
-


Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA

PostPosted: Tue Jul 17, 2007 2:59 am    Post subject: Reply with quote

Oh, so we can have several domains with hosts on the same IP and use separate certificates for each?
_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados.
Back to top View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Tue Jul 17, 2007 10:32 pm    Post subject: Reply with quote

rrinc wrote:
Oh, so we can have several domains with hosts on the same IP and use separate certificates for each?


You cannot have several different certificates for the same IP and the same port. That's the main problem with SSL and that's what we've tried to explain in our post above.
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
JOhnMag4u
-


Joined: 16 Jul 2007
Posts: 7
Location: Brodheadsville, PA

PostPosted: Tue Jul 17, 2007 10:53 pm    Post subject: Suggestion Reply with quote

How difficult is to host a secure site on a non-standard port? Can you suggest any articles or reading? Does X2 help with the process?
_________________
JohnMag4u.com
Back to top View user's profile Send private message Visit poster's website AIM Address
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Tue Jul 17, 2007 11:56 pm    Post subject: Re: Suggestion Reply with quote

JOhnMag4u wrote:
How difficult is to host a secure site on a non-standard port? Can you suggest any articles or reading? Does X2 help with the process?


There is no difficulty. If the non standard port is for example 4430, the URL will look like https://mysite:4430 instead of https://mysite (if you were using the default HTTPS port 443).

On the network side, you'll have to configure your router to forward that port to the computer where Abyss Web Server is running (just as you did for port 80 if you configured the server to serve HTTP sites).
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
rrinc
-


Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA

PostPosted: Wed Jul 18, 2007 12:40 am    Post subject: Reply with quote

aprelium-beta wrote:
rrinc wrote:
Oh, so we can have several domains with hosts on the same IP and use separate certificates for each?


You cannot have several different certificates for the same IP and the same port. That's the main problem with SSL and that's what we've tried to explain in our post above.
So, I can't have 2 domains pointing to the same IP, each with its own host and ssl certificate? The two domains and hosts would be separate. Would the problem only arise if the user visited both domains?
_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados.
Back to top View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3719
Location: USA, GA

PostPosted: Wed Jul 18, 2007 12:49 am    Post subject: Reply with quote

Hello rrinc,

With SSL, the certificate must be assigned to a Host on a given port. This means that only one Host can use the default port 443 for SSL. All other Hosts will need to use a different port. The only workaround for running your hosts on the same default SSL port, is to give each Host their own IP Address. This is a limitation of OpenSSL, and not Abyss Web Server.

Kind regards, Josh
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
rrinc
-


Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA

PostPosted: Wed Jul 18, 2007 2:09 am    Post subject: Reply with quote

Could this change in the future?
_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados.
Back to top View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3719
Location: USA, GA

PostPosted: Wed Jul 18, 2007 3:55 am    Post subject: Reply with quote

Yes! They already have a workaround but most browsers don't even support it yet. Aprelium is considering on adding it in the future when it's more widely supported.

Note: When I say workaround, I mean that OpenSSL has that workaround.
_________________
Computer Programmer & Networking Specialist



Last edited by TRUSTAbyss on Wed Jul 18, 2007 11:21 pm; edited 1 time in total
Back to top View user's profile Send private message Visit poster's website MSN Messenger
golowenow
-


Joined: 29 Apr 2004
Posts: 35
Location: Washington state

PostPosted: Wed Jul 18, 2007 5:47 am    Post subject: workaround Reply with quote

Do you have a link on information about this workaround?
Back to top View user's profile Send private message Visit poster's website
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3719
Location: USA, GA

PostPosted: Wed Jul 18, 2007 6:28 am    Post subject: Reply with quote

No, but Aprelium could probably point you to the right website. Sorry, but I'm not sure what to search for, I just heard about it from Aprelium.
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
aprelium-beta
-


Joined: 24 Jun 2004
Posts: 383

PostPosted: Wed Jul 18, 2007 11:15 pm    Post subject: Re: workaround Reply with quote

golowenow wrote:
Do you have a link on information about this workaround?


There is no workaround. If a server is going to have virtual SSL certificates support, this support must be hard wired inside it.

A server with that feature will not be able to work correctly with a browser that does not support it. So as explained above, we're not going to add it unless current browsers start supporting it at a wide scale.

Once again, this limitation is set by the SSL protocol and all web servers are affected by it. Please refer to http://en.wikipedia.org/wiki/Virtual_hosting for more information. For the advanced technical description of that feature, please refer to "Server Name Indication" section in http://tools.ietf.org/html/rfc4366#page-9 (this document describes the low level TLS protocol and assumes SSL/TLS internal knowledge).
_________________
Beta Testing Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Ian McPherson
-


Joined: 12 Jun 2007
Posts: 23

PostPosted: Tue Nov 13, 2007 8:55 am    Post subject: Multi-domain certificates Reply with quote

Hi,

Multi-domain SSL certificates could overcome these limitations, yes? GoDaddy offer certificates that can cover up to 100 domains, although I can't admit to being anything like that organised, as yet... :)

https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979

Ian
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Tue Nov 13, 2007 4:00 pm    Post subject: Re: Multi-domain certificates Reply with quote

Ian McPherson wrote:

Multi-domain SSL certificates could overcome these limitations, yes?
Ian


Yes it can. Actually, a multi-domain certificate is a single certificate which is valid for more than one host name. Being a single certificate, it does not cause any problems (as those explained above).
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Ian McPherson
-


Joined: 12 Jun 2007
Posts: 23

PostPosted: Thu Nov 15, 2007 4:27 am    Post subject: Multi domain certificates Reply with quote

I have never purchased one of these certificates before. Do you have to have all the domains worked out in advance, or can you add domains to the certificate over time?

Thanks,

Ian
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Sat Nov 17, 2007 12:49 pm    Post subject: Re: Multi domain certificates Reply with quote

Ian McPherson wrote:
I have never purchased one of these certificates before. Do you have to have all the domains worked out in advance, or can you add domains to the certificate over time?


It depends on the policy of the certificate signing authority. Ask them if they couldreissue updated certificates in such a case? Most of them do it if you change your details within the year or two of validity, so it's possible from a technical point of view.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
etorvinen
-


Joined: 02 Jan 2005
Posts: 31

PostPosted: Mon Mar 03, 2008 10:23 pm    Post subject: Reply with quote

I have found http://cert.startcom.org/ they provide free ssl certs...

i did not verify that the certs work.. yet...
_________________
;@
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Wed Mar 19, 2008 6:33 pm    Post subject: Reply with quote

etorvinen wrote:
I have found http://cert.startcom.org/ they provide free ssl certs...


Thank you for sharing that with us.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
etorvinen
-


Joined: 02 Jan 2005
Posts: 31

PostPosted: Tue Nov 11, 2008 6:30 am    Post subject: Need Assistance Reply with quote

I signed up for startcom.

I have a ssl.csr and ssl.key file.

I successfull imported the key in abyss but can't figure out how to import the actual cert file. "ssl.csr"

As you can see startcom provides lots of certs
Quoted from thier site.
Quote:

StartCom CA Certificates

If you want to import one or more CA certificates into your browser click on the link of the certificate in question. Make sure to edit the trust settings of each imported certificate.
In order to save the certificates for your server, select the link by right clicking on it and selecting "Save Link As..." from the menu.

StartCom Root CA (PEM encoded)
StartCom Root CA (DER encoded)
Server Certificate Bundle with CRLs (PEM encoded)

Class 1 Intermediate Server CA
Class 2 Intermediate Server CA
Class 3 Intermediate Server CA
Extended Validation Server CA


Class 1 Intermediate Client CA
Class 2 Intermediate Client CA
Class 3 Intermediate Client CA
Extended Validation Client CA


Class 2 Code Signing CA
Class 3 Code Signing CA


I guess the question is how to I combine these to fit in
Main Certificate - i believe this is the ssl.csr startcom generated for me.
Intermediate Certificate - ? In question...
CA Root Certificate - ? In question...
(in the abyss console)
_________________
;@
Back to top View user's profile Send private message
etorvinen
-


Joined: 02 Jan 2005
Posts: 31

PostPosted: Tue Nov 11, 2008 7:06 am    Post subject: Reply with quote

Ok figured it out...

Server Certificate Bundle with CRLs (PEM encoded) - use for CA ROOT

Combinded all these in one file. then pasted it in the intermedate.
Class 1 Intermediate Server CA
Class 2 Intermediate Server CA
Class 3 Intermediate Server CA
Extended Validation Server CA
Class 1 Intermediate Client CA
Class 2 Intermediate Client CA
Class 3 Intermediate Client CA
Extended Validation Client CA
Class 2 Code Signing CA
Class 3 Code Signing CA

Main Cert - You have to login to thier site and have them generate a cert from the ssl.csr file. Then use the generated certifate.
_________________
;@
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group