Hi there
I'm new to apache-ssl - in fact, SSL generally, although I've been using SSH
for some years so more-or-less understand the basics (I hope!). Having read
the last few weeks of the list archive last night I am left with a number of
questions. BTW, I'm running Linux 2.0.33, ben's patches on apache 1.3.0
linked against SSLeay 0.8.1b (and yes, I had the same grief with the
ssl/Makefile!).
1) I chose to download SSleay 0.8.1b rather than 0.9.x because the README
for the latter made it sound like a bit of a "rushed release". But in the
archive I read (at least) one report of problems with 0.8.x. Can I
disregard this report? and is it the case that when I generate keys and
csr's with 0.8 (and pay Thawte to sign them!), these will be usable with
future releases of SSLeay?
2) I was amazed to read that some people are using Verisign certs with
apache-ssl. I thawte (forgive the pun, must be a pretty tired one on this
list!) that Verisign wouldn't do this? Is it the case that you have to
submit your system to some kind of testing by Verisign before they'll do
this, and it so, what do they charge for this (sic) "service"? IEv3 on the
Mac will not work with Thawte certs (so Thawte tell me) so that's an issue
for me.
3) I'm very short on IP's and can't possibly run each certificate on it's
own IP. I read that it might be possible to run a number of ssl virtual
hosts on the same IP providing they use different ports. (At least, this is
what I understood by the discussion of this problem). So, does the
following (outline) config make sense?
I allocate an IP, say x.x.x.x, and give it a name:
ssl.SCL.co.uk IN A x.x.x.x (SCL is my own domain)
Then, when I have a customer with an insecure web site, say
www.customerX.co.uk (this is a NameVirtualHost running on an entirely
seperate IP) and who now wants secure service, I put in a CNAME:
ssl.customerX.co.uk IN CNAME ssl.SCL.co.uk ,or (equally I would think)
ssl.customerX.co.uk IN A x.x.x.x
My httpd.conf file for apache-ssl will look like:
Port 437 (from memory, that's the standard port for httpsd
and I'll use it for ssl.SCL.co.uk)
NameVirtualHost x.x.x.x
<VirtualHost ssl.customerX.co.uk:438> (maybe not exactly these ports,
... but a different one for each customer)
</VirtualHost>
<VirtualHost ssl.customerY.co.uk:439>
...
</VirtualHost>
etc.
Is that going to work? Are there any serious drawbacks to such an approach?
4) Sounds like it's much safer (on a live server) to run with the gcache
stuff switched off?
5) I read somewhere that I can get a Thawte certificate (maybe anybody's
cert?) associated with a wildcard domain name e.g. *.SCL.co.uk. If that's
the case it surely makes sense to do it so that I can play around with the
names later on if necessary. Are there any drawbacks to doing that?
Any comments gratefully received! I'm about to splash out on three
certificates so I'd like to know I'm not about to throw $375 down the pan!
Thanks in advance
John Sutton
***************************************************
John Sutton
SCL Computer Services
URL http://www.scl.co.uk/
Tel. +44 (0) 1239 621021
***************************************************