Re: SSL and IP Addresses

I have a number of Virtual Hosts on one IP address. If one of these sites needs SSL, should I set that up on a separate IP address or is it OK to have multiple VHs on the same IP address as is used by a SSL cert?

Sure.

The WT docs say... "Named virtual hosts (hosts that share an IP address) must share the certificate of the common IP host. By default, Web Ten associates a certificate issued to an IP virtual host with all configured named virtual hosts that share that IP address."

If one of the named VHs is "secure.domainA.com" and shares the IP address with "domainA.com", as well as any number of other VHs, is that a problem?

Well, if you want both virtual hosts to have secure pages you will run into a problem because the certificate is associated with only one name. So the browser will through up a warning that the names don't match. The https connection can still happen, but only if the user clicks through 3 or 4 warnings that the names don't match (and most people aren't going to do that unless they know that it's just for test purposes or something).

If you get the certificate for "secure.domainA.com" then you can serve securely *and* with authentication any page with that hostname.

https://secure.domainA.com
https://secure.domainA.com/test.html
https://secure.domainA.com/sub-domain/form.html
https://secure.domainA.com/other/order-now.html

Will all be served encrypted and the browser will be happy, the certificate name will match.

https://domainA.com - you can get the secure connection *if* you dismiss all the warnings. A check of the security stuff in the browser will show that the certificate does not match the host/domain name.

Does the statement above from the docs mean that if domainB.com is on the same IP address as the VHost with the SSL cert, that domainB.com will also have SSL enabled? Would this result in errors if someone established a https connection to domainB.com?

yes - the browser will squawck that the names don't match, giving multiple dialogs that have to be dismissed to keep going.

If any other sites need a SSL cert, I need to put them on a separate IP address, right? I cannot have multiple certs on one IP address?

Correct.

SSL certificates are linked to a specific hostname, but when browser attempts to make and SSL connection to a server, that handshaking happens *before* the browser sends the header with a hostname, so the initial connection has to be by IP. Therefore only one certificate per IP number. (but other virtual hosts can be on the same IP, just not with their own cert) -- Stephanie J. Wright

---------------------------------------------------------------------
Tenon Intersystems                                       805-963-6983
1123 Chapala Street                                 swright@xxxxxxxxx
Santa Barbara, CA 93101                          http://www.tenon.com
---------------------------------------------------------------------

---------                    ----------
Tenon Intersystems' webten Mailing List
To unsubscribe: send mailto://webten-request@xxxxxxxxxxxxxxx
with the body: unsubscribe
Find searchable Mailing List archives at:
http://listsearch.blueworld.com/webtensearch.lasso