Re: [lvs-users] https connections

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] https connections
From: Dan Yocum <yocum@xxxxxxxx>
Date: Mon, 29 Oct 2007 09:50:12 -0500
Hi Graeme,

Graeme Fowler wrote:
> Joseph Mack NA3T wrote:
>> I don't suppose you know if you can run two https sites with 
>> the same IP (like you can for http)?
> Short answer: no.
> Longer answer: no, because the certificate for a connection must be 
> chosen before the TLS session is established (the TLS handshake requires 
> the certificate and key); only then can the HTTP/1.1 Host: header be 
> sent across. This means the certificate must be hard-coded in the config 
> of the application providing the TLS environment (Apache, for example, 
> puts it into the VirtualHost context).

See my previous email - I *think* it can be done.

> Slightly different short answer: you can if you bind the VirtualHost to 
> different ports (443 is IANA default for https but you can run it 
> *anywhere you want*. Just don't expect the clients to use one that's not 
> on port 443 :)

True - we* usually run our https on 8443 and our globus web services on 

*we, being the Open Science Grid and other scientific grid 
infrastructures (EGEE, etc.)

> Very different answer: you can if you use TLS/SNI. See:
> This extends the TLS handshake to include several extended attributes, 
> among the server_name. Guess what that gets used for?

We use extended attributes for grid job submissions (think 
geographically separated batch job submissions to extremely diverse 
compute resources).  We use the user DN + Virtual Organization and Role 
extended attributes to map users to local UIDs for running the jobs.

What purpose are you using extended attributes for?


Dan Yocum
Fermilab  630.840.6509
Fermilab.  Just zeros and ones.

<Prev in Thread] Current Thread [Next in Thread>