Re: Verisign Certs

To:	"Matthew S. Crocker" <matthew@xxxxxxxxxxx>
Subject:	Re: Verisign Certs
Cc:	"Joseph Mack" <mack.joseph@xxxxxxx>, "Linux Virtual Server Mail List" <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From:	"David D.W. Downey" <david.downey@xxxxxxxx>
Date:	Mon, 16 Oct 2000 13:45:26 -0700

Excellent information! Thanks. Exactly what I needed to know.


----- Original Message -----
From: Matthew S. Crocker <matthew@xxxxxxxxxxx>
To: David D.W. Downey <david.downey@xxxxxxxx>
Cc: Joseph Mack <mack.joseph@xxxxxxx>; Linux Virtual Server Mail List
<lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Sent: Monday, October 16, 2000 1:04 PM
Subject: Re: Verisign Certs


> On Mon, 16 Oct 2000, David D.W. Downey wrote:
> > We have like 40 domains all told assigned to the single VIP. I take it
then
> > that I would ahve to redo the DNS and LVS to assign different IPs to the
> > different domains rather than feeding them all through 1? That I can
> > understand.
> >
> > BUT, the certificates would actually be loaded from the real servers
> > comprising the cluster correct? If so, how do you assign multiple certs
on a
> > single machine that all feeds to the same directory but via different
> > <Virtual Host> entries in the httpd.conf?
>
> You need to setup the vs servers with 40 VIP's and setup the ws servers to
> handle the same VIP's  This is the same this as normal LVS but with 40
> IP's instead of one.    You will have 40 dummy interfaces on the ws
> servers (interface aliases eth0:0 --> eth0:39)
>
> Then you need to setup 40 virtual host entries in httpd.conf but setup IP
> BASED not NAMED BASED.  This is very important.  You then register 40
> certificates for the 40 names you plan on handling and put each
> certificate in a seperate <VirtualHost> entry in httpd.conf.  Once that is
> all done you take the 40 DNS names and point them to the VIP addresses and
> make sure you match the IP in DNS to the IP in  httpd.conf with the name
> on the certificate.
>
> Remember,  Certificates are branded with the name of the server in them
> and the certificate is sent to the client during SSL setup which is BEFORE
> HTTP protocol.  named-based virtual hosting is HTTP/1.1, if you don't have
> HTTP yet how can you figure out what certificate to send?
>
> When the client gets the certficate it matches the name in the cert to the
> URL it is going to. If they don't match the client will complain to the
> user about potential security problems.  The SSL session is still
> establish and security is still there but the normal user will get scared
> when the browser complains.  It gets expensive, 40 certs at Thawte are
> $4025
>
> Hope this helps.
>
> -Matt
>
> --
> ----------------------------------------------------------------------
> Matthew S. Crocker
> Vice President / Internet Division         Email: matthew@xxxxxxxxxxx
> Crocker Communications                     Phone: (413) 587-3350
> PO BOX 710                                 Fax:   (413) 587-3352
> Greenfield, MA 01302-0710                  http://www.crocker.com
> ----------------------------------------------------------------------
>
>

<Prev in Thread]	Current Thread	[Next in Thread>
Verisign Certs, David D.W. Downey Re: Verisign Certs, Matthew S. Crocker Re: Verisign Certs, Trevor Marshall Re: Verisign Certs, Matthew S. Crocker Re: Verisign Certs, Joseph Mack Re: Verisign Certs, Matthew S. Crocker Re: Verisign Certs, David D.W. Downey Re: Verisign Certs, Matthew S. Crocker Re: Verisign Certs, David D.W. Downey <= OpenBSD & lvs, Jacob W Anderson Re: OpenBSD & lvs, Michael D. Jurney

Previous by Date:	Re: Verisign Certs, Matthew S. Crocker
Next by Date:	very strange lvs behavior, Raj Dutt
Previous by Thread:	Re: Verisign Certs, Matthew S. Crocker
Next by Thread:	OpenBSD & lvs, Jacob W Anderson
Indexes:	[Date] [Thread] [Top] [All Lists]