Re: HTTPS and URL encoding

david20_at_alpha2.mdx.ac.uk
Date: 05/28/04

• Next message: Lanwench [MVP - Exchange]: "Re: Multiple domain/workgroups in Network Places?"
• Previous message: bz: "Re: Looking for a simple packet filter - can you help?"
• In reply to: Barry Margolin: "Re: HTTPS and URL encoding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 May 2004 10:43:48 +0000 (UTC)

In article <05edb0lp9ftaebnqreiv7dbftnr9ov32lr@4ax.com>, dap99@i-55.com writes:
>On Thu, 27 May 2004 18:36:23 -0400, Barry Margolin
><barmar@alum.mit.edu> wrote:
>
>>In article <40B66A5F.F403FFB1@anta.net>, Thor Kottelin <thor@anta.net>
>>wrote:
>>> > Not if it's a virtual server -- multiple names map to the same address,
>>> > and the reverse lookup probably wouldn't produce the one that the user
>>> > used.
>>>
>>> It's not very common for HTTPS to be available on name-based virtual hosts,
>>> is it?
>>
>>Good point. Now that you remind me, I think there's a problem with
>>certificate verification, which is based on IP rather than name.
>
>I wish they would fix that. Yes, it would be painful and a long
>process, but I can still wish. Having to dedicate an IP for each SSL
>site is a real administrative pain. You can host multiple SSL sites on
>one IP using different ports, but users get scared when they click to
>https://ssl.site.com:534.
>

You can overcome this by either

1) using a wildcarded certificate
or
2) using the subjectAltname extension to specify additional DNS hostnames

eg

in openssl.cnf

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=@alt_section
.
.
.
[ alt_section ]
DNS.1=host1.domain
DNS.2=host2.domain
DNS.3=host3.domain
DNS.4=host4.domain

All modern browsers should support the SubjectAltname extension.

David Webb
VMS and Unix team leader
CCSS
Middlesex University

• Next message: Lanwench [MVP - Exchange]: "Re: Multiple domain/workgroups in Network Places?"
• Previous message: bz: "Re: Looking for a simple packet filter - can you help?"
• In reply to: Barry Margolin: "Re: HTTPS and URL encoding"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Is there such thing as a multi-host security certificate? ... Is there such thing as a multihost security certiciate? ... then you could get a wildcard certificate for mydomain.com. ... Other trusted CAs may now be starting to support the SubjectAltName extension. ... (comp.security.misc) Re: IMAP OpenSSL and Virtual Host Environments? ... >> dNSName types of its subjectAltName extension. ... >> dNSName types and their values may contain wildcards. ... >> Here's an example from an X509v3 certificate ... (comp.security.misc) Re: IMAP OpenSSL and Virtual Host Environments? ... > A single X509v3 certificate can hold multiple host names in the ... > dNSName types of its subjectAltName extension. ... > dNSName types and their values may contain wildcards. ... > Here's an example from an X509v3 certificate ... (comp.security.misc) Re: security for website ... >You can have a wildcarded certificate ie a certificate ... >You can also have certicates supporting the new v3 subjectAltName extension ... Fax/Voice +1258-9858 | read details of WFTPD Pro for NT. ... (comp.security.misc) Re: security for website ... >You can have a wildcarded certificate ie a certificate ... >You can also have certicates supporting the new v3 subjectAltName extension ... Fax/Voice +1258-9858 | read details of WFTPD Pro for NT. ... (comp.security.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint