Re: [lvs-users] https connections

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] https connections
From: Dan Yocum <yocum@xxxxxxxx>
Date: Mon, 29 Oct 2007 09:13:59 -0500

Joseph Mack NA3T wrote:
> On Thu, 25 Oct 2007, Joseph Mack NA3T wrote:
>> wonderful. People fall all over https on lvs and Graeme has
>> been rescuing everyone.
> I don't suppose you know if you can run two https sites with 
> the same IP (like you can for http)?

It is possible to create a service certificate with a wildcard in the CN 
string.  We've got a few of these at Fermi.  I think this would enable 
the ability to get around the catch-22 of having to read the http 
request header before the ssl handshake is completed - the handshake is 
still completed before reading the header, but since you've got a 
wildcard in the CN, it should succeed, then the server can read the 
header and redirect appropriately.

So, yes, I think it can be done for a special use case where the servers 
have the similar enough hostnames that a suitable certificate can be 
generated.  I'll ask around to see if anyone here is doing that.


Dan Yocum
Fermilab  630.840.6509
Fermilab.  Just zeros and ones.

<Prev in Thread] Current Thread [Next in Thread>