[PYTHON-CRYPTO] Multiple Certs Possible?
Ng Pheng Siong
ngps at POST1.COM
Wed Aug 11 18:47:04 CEST 2004
On Tue, Aug 10, 2004 at 09:46:47PM -0500, Matt Hubbard wrote:
> Is it possible to use a different server certificate for each virtual host
> within a single instance of Zope? This would be similar to the SSL
> directives within an Apache VirtualHost directive.
Not possible with VHM's name-based virtual hosting. Recall HTTPS is
HTTP-over-SSL. Here's what mod_ssl's FAQ has to say about this:
Why can't I use SSL with name-based/non-IP-based virtual hosts? [L]
The reason is very technical. Actually it's some sort of a chicken and
egg problem: The SSL protocol layer stays below the HTTP protocol layer
and encapsulates HTTP. When an SSL connection (HTTPS) is established
Apache/mod_ssl has to negotiate the SSL protocol parameters with the
client. For this mod_ssl has to consult the configuration of the virtual
server (for instance it has to look for the cipher suite, the server
certificate, etc.). But in order to dispatch to the correct virtual
server Apache has to know the Host HTTP header field. For this the HTTP
request header has to be read. This cannot be done before the SSL
handshake is finished. But the information is already needed at the SSL
handshake phase. Bingo!
(Of course, "chicken and egg" isn't a problem. The egg came first. ;-)
> Do I need to run a
> separate instance of Zope for each domain requiring it's own cert?
Ng Pheng Siong <ngps at netmemetic.com>
http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control
http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
More information about the python-crypto