Apache-2.2
同一 IP 地址和同一埠上的多個 SSL 域?
這是關於在同一 IP 上託管多個 SSL 網站的規範問題。
我的印像是每個 SSL 證書都需要它自己唯一的 IP 地址/埠組合。但是我發布的上一個問題的答案與這種說法不一致。
使用來自該問題的資訊,我能夠獲得多個 SSL 證書以在相同的 IP 地址和埠 443 上工作。鑑於上述假設並被其他人強調每個 SSL 域網站在同一台伺服器需要自己的 IP/埠。
我懷疑我做錯了什麼。可以這樣使用多個 SSL 證書嗎?
有關 Apache 和 SNI 的最新資訊,包括其他 HTTP-Specific RFC,請參閱Apache Wiki
僅供參考:TLS 升級的魔力為您帶來“一個 IP 上的多個(不同)SSL 證書”。它適用於較新的 Apache 伺服器 (2.2.x) 和相當新的瀏覽器(不知道我腦海中的版本)。
RFC 2817(在 HTTP/1.1 中升級到 TLS)有血淋淋的細節,但基本上它適用於很多人(如果不是大多數人的話)。不過,您可以使用 openssl 的命令(或任何“足夠老的”瀏覽器)
重現舊的時髦行為。s_client
編輯添加:顯然
curl
可以比openssl更好地向您展示這裡發生的事情:SSLv3
mikeg@flexo% curl -v -v -v -3 https://www.yummyskin.com * About to connect() to www.yummyskin.com port 443 (#0) * Trying 69.164.214.79... connected * Connected to www.yummyskin.com (69.164.214.79) port 443 (#0) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: serialNumber=wq8O9mhOSp9fY9JcmaJUrFNWWrANURzJ; C=CA; O=staging.bossystem.org; OU=GT07932874; OU=See www.rapidssl.com/resources/cps (c)10; OU=Domain Control Validated - RapidSSL(R); CN=staging.bossystem.org * start date: 2010-02-03 18:53:53 GMT * expire date: 2011-02-06 13:21:08 GMT * SSL: certificate subject name 'staging.bossystem.org' does not match target host name 'www.yummyskin.com' * Closing connection #0 * SSLv3, TLS alert, Client hello (1): curl: (51) SSL: certificate subject name 'staging.bossystem.org' does not match target host name 'www.yummyskin.com'
TLSv1
mikeg@flexo% curl -v -v -v -1 https://www.yummyskin.com * About to connect() to www.yummyskin.com port 443 (#0) * Trying 69.164.214.79... connected * Connected to www.yummyskin.com (69.164.214.79) port 443 (#0) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: C=CA; O=www.yummyskin.com; OU=GT13670640; OU=See www.rapidssl.com/resources/cps (c)09; OU=Domain Control Validated - RapidSSL(R); CN=www.yummyskin.com * start date: 2009-04-24 15:48:15 GMT * expire date: 2010-04-25 15:48:15 GMT * common name: www.yummyskin.com (matched) * issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global eBusiness CA-1 * SSL certificate verify ok.