Joseph Mack NA3T wrote:
> On Thu, 25 Oct 2007, Joseph Mack NA3T wrote:
>
>> wonderful. People fall all over https on lvs and Graeme has
>> been rescuing everyone.
>
> I don't suppose you know if you can run two https sites with
> the same IP (like you can for http)?
It is possible to create a service certificate with a wildcard in the CN
string. We've got a few of these at Fermi. I think this would enable
the ability to get around the catch-22 of having to read the http
request header before the ssl handshake is completed - the handshake is
still completed before reading the header, but since you've got a
wildcard in the CN, it should succeed, then the server can read the
header and redirect appropriately.
So, yes, I think it can be done for a special use case where the servers
have the similar enough hostnames that a suitable certificate can be
generated. I'll ask around to see if anyone here is doing that.
Cheers,
Dan
--
Dan Yocum
Fermilab 630.840.6509
yocum@xxxxxxxx, http://fermigrid.fnal.gov
Fermilab. Just zeros and ones.
|