[cap-talk] [Off-topic] SSL/TLS problems

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Mon Aug 22 21:32:00 EDT 2005


Jed at Webstart wrote:
> I've got a bit of a bone to pick.  This may be even more off
> topic, so perhaps David can point me elsewhere to follow up.
> 
> The bone is that it also seems to me desirable to eliminate
> the costly mechanisms for supporting multiple certificates
> for the multiple SSL virtual hosts on a single physical
> host (and IP).  In the case of such multiple named virtual
> hosts using SSL over a single IP address, what is to be
> gained by requiring them all to have distinct certificates?
>
> Its the same software acting within the same authentication
> space that is picking up the communication, regardless of
> which virtual host configuration it happens to get directed to.
> 
> If the certificate could be tied to the IP address or even
> the A record for a DNS name with multiple Cnames allowed
> (for all the virtual hosts), that would eliminate yet another level
> of overhead that adds cost but no value as far as I can see.
> I don't see this last aspect of eliminating the special SSL
> costs for virtual hosts addressed in the above RFC.  Please
> let me know if I missed it and it is there.

It isn't there. This would require an update to RFC 2818
(HTTP over TLS) to change the hostname matching rules. The place
to pursue this would be on the TLS WG list
(https://www1.ietf.org/mailman/listinfo/tls).

Here are some arguments against that you *may* encounter:
  - that it's already possible to do this by use of wildcards in the
    case where all hostnames are in the same subdomain,
  - that the use of virtual servers for TLS is not to be encouraged
    because it is less secure than using multiple hosts,
  - that it isn't important enough to fix.

These are all weak arguments, but you should have good answers to them.
Good luck; please contact me if you need help writing a draft.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>



More information about the cap-talk mailing list