John Sutton wrote:
>
> Hi there
>
> I'm new to apache-ssl - in fact, SSL generally, although I've been using SSH
> for some years so more-or-less understand the basics (I hope!). Having read
> the last few weeks of the list archive last night I am left with a number of
> questions. BTW, I'm running Linux 2.0.33, ben's patches on apache 1.3.0
> linked against SSLeay 0.8.1b (and yes, I had the same grief with the
> ssl/Makefile!).
>
> 1) I chose to download SSleay 0.8.1b rather than 0.9.x because the README
> for the latter made it sound like a bit of a "rushed release". But in the
> archive I read (at least) one report of problems with 0.8.x. Can I
> disregard this report? and is it the case that when I generate keys and
> csr's with 0.8 (and pay Thawte to sign them!), these will be usable with
> future releases of SSLeay?
0.9.x is perfectly stable - I've not had any problems (apart from having
to rush around upgrading to 0.9.0a). I'm not aware of any problems with
the output of different versions - only the internal working of the
programs themselves.
>
> 2) I was amazed to read that some people are using Verisign certs with
> apache-ssl. I thawte (forgive the pun, must be a pretty tired one on this
> list!) that Verisign wouldn't do this? Is it the case that you have to
> submit your system to some kind of testing by Verisign before they'll do
> this, and it so, what do they charge for this (sic) "service"? IEv3 on the
> Mac will not work with Thawte certs (so Thawte tell me) so that's an issue
> for me.
There is an official statement on the matter from Versign, but they've
cleverly hidden it away until you're already half way through the
enrollment process... :)
>
> 3) I'm very short on IP's and can't possibly run each certificate on it's
> own IP. I read that it might be possible to run a number of ssl virtual
> hosts on the same IP providing they use different ports. (At least, this is
> what I understood by the discussion of this problem). So, does the
> following (outline) config make sense?
>
> I allocate an IP, say x.x.x.x, and give it a name:
>
> ssl.SCL.co.uk IN A x.x.x.x (SCL is my own domain)
>
> Then, when I have a customer with an insecure web site, say
> www.customerX.co.uk (this is a NameVirtualHost running on an entirely
> seperate IP) and who now wants secure service, I put in a CNAME:
>
> ssl.customerX.co.uk IN CNAME ssl.SCL.co.uk ,or (equally I would think)
> ssl.customerX.co.uk IN A x.x.x.x
>
> My httpd.conf file for apache-ssl will look like:
>
> Port 437 (from memory, that's the standard port for httpsd
> and I'll use it for ssl.SCL.co.uk)
Nope, it's 443.
>
> NameVirtualHost x.x.x.x
>
> <VirtualHost ssl.customerX.co.uk:438> (maybe not exactly these ports,
> ... but a different one for each customer)
> </VirtualHost>
>
> <VirtualHost ssl.customerY.co.uk:439>
> ...
> </VirtualHost>
>
> etc.
>
> Is that going to work? Are there any serious drawbacks to such an approach?
In short, yes it makes sense, but no it won't work. The reason being
that the SSL session is negotiated as soon as the browser connects, and
before any headers have been exchanged to determine which named host
they are looking for. As a consequence, they will be presented with the
cert for the main IP address, not the virtual host.
>
> 4) Sounds like it's much safer (on a live server) to run with the gcache
> stuff switched off?
At the moment, yes.
>
> 5) I read somewhere that I can get a Thawte certificate (maybe anybody's
> cert?) associated with a wildcard domain name e.g. *.SCL.co.uk. If that's
> the case it surely makes sense to do it so that I can play around with the
> names later on if necessary. Are there any drawbacks to doing that?
Technically no, but you are obviously downgrading the level of trust
that one can apply to the cert - you are using a generic 'site' cert, as
opposed to one for that particular server, and that introduces an
elelement of doubt into the trust equation. And no, you can't get
anybody's - Versign, for example, specifically disallow 'special'
characters.
>
> Any comments gratefully received! I'm about to splash out on three
> certificates so I'd like to know I'm not about to throw $375 down the pan!
Depends what you do with them! :)
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers