[PYTHON-CRYPTO] Multiple Certs Possible?

Ng Pheng Siong ngps at POST1.COM
Wed Aug 11 18:47:04 CEST 2004


On Tue, Aug 10, 2004 at 09:46:47PM -0500, Matt Hubbard wrote:
> Is it possible to use a different server certificate for each virtual host
> within a single instance of Zope?  This would be similar to the SSL
> directives within an Apache VirtualHost directive.

Not possible with VHM's name-based virtual hosting. Recall HTTPS is
HTTP-over-SSL. Here's what mod_ssl's FAQ has to say about this:

  Why can't I use SSL with name-based/non-IP-based virtual hosts?    [L]

  The reason is very technical. Actually it's some sort of a chicken and
  egg problem: The SSL protocol layer stays below the HTTP protocol layer
  and encapsulates HTTP. When an SSL connection (HTTPS) is established
  Apache/mod_ssl has to negotiate the SSL protocol parameters with the
  client. For this mod_ssl has to consult the configuration of the virtual
  server (for instance it has to look for the cipher suite, the server
  certificate, etc.). But in order to dispatch to the correct virtual
  server Apache has to know the Host HTTP header field. For this the HTTP
  request header has to be read. This cannot be done before the SSL
  handshake is finished. But the information is already needed at the SSL
  handshake phase. Bingo!

(Of course, "chicken and egg" isn't a problem. The egg came first. ;-)

> Do I need to run a
> separate instance of Zope for each domain requiring it's own cert?

Yes.

--
Ng Pheng Siong <ngps at netmemetic.com>

http://firewall.rulemaker.net -+- Cisco PIX & Netscreen Config Version Control
http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog




More information about the python-crypto mailing list