Apache-2.2

同一 IP 地址和同一埠上的多個 SSL 域?

  • February 2, 2016

這是關於在同一 IP 上託管多個 SSL 網站的規範問題。

我的印像是每個 SSL 證書都需要它自己唯一的 IP 地址/埠組合。但是我發布的上一個問題的答案與這種說法不一致。

使用來自該問題的資訊,我能夠獲得多個 SSL 證書以在相同的 IP 地址和埠 443 上工作。鑑於上述假設並被其他人強調每個 SSL 域網站在同一台伺服器需要自己的 IP/埠。

我懷疑我做錯了什麼。可以這樣使用多個 SSL 證書嗎?

有關 Apache 和 SNI 的最新資訊,包括其他 HTTP-Specific RFC,請參閱Apache Wiki


僅供參考:TLS 升級的魔力為您帶來“一個 IP 上的多個(不同)SSL 證書”。它適用於較新的 Apache 伺服器 (2.2.x) 和相當新的瀏覽器(不知道我腦海中的版本)。

RFC 2817(在 HTTP/1.1 中升級到 TLS)有血淋淋的細節,但基本上它適用於很多人(如果不是大多數人的話)。不過,您可以使用 openssl 的命令(或任何“足夠老的”瀏覽器)
重現舊的時髦行為。s_client

編輯添加:顯然curl可以比openssl更好地向您展示這裡發生的事情:


SSLv3

mikeg@flexo% curl -v -v -v -3 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
 CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=wq8O9mhOSp9fY9JcmaJUrFNWWrANURzJ; C=CA; 
             O=staging.bossystem.org; OU=GT07932874;
             OU=See www.rapidssl.com/resources/cps (c)10;
             OU=Domain Control Validated - RapidSSL(R);
             CN=staging.bossystem.org
*    start date: 2010-02-03 18:53:53 GMT
*    expire date: 2011-02-06 13:21:08 GMT
* SSL: certificate subject name 'staging.bossystem.org'
      does not match target host name 'www.yummyskin.com'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'staging.bossystem.org'
does not match target host name 'www.yummyskin.com'

TLSv1

mikeg@flexo% curl -v -v -v -1 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
 CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: C=CA; O=www.yummyskin.com; OU=GT13670640;
             OU=See www.rapidssl.com/resources/cps (c)09;
             OU=Domain Control Validated - RapidSSL(R);
             CN=www.yummyskin.com
*    start date: 2009-04-24 15:48:15 GMT
*    expire date: 2010-04-25 15:48:15 GMT
*    common name: www.yummyskin.com (matched)
*    issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global eBusiness CA-1
*    SSL certificate verify ok.

引用自:https://serverfault.com/questions/109800