|
Hi Graeme,
Graeme Fowler wrote:
> Joseph Mack NA3T wrote:
>> I don't suppose you know if you can run two https sites with
>> the same IP (like you can for http)?
>
> Short answer: no.
>
> Longer answer: no, because the certificate for a connection must be
> chosen before the TLS session is established (the TLS handshake requires
> the certificate and key); only then can the HTTP/1.1 Host: header be
> sent across. This means the certificate must be hard-coded in the config
> of the application providing the TLS environment (Apache, for example,
> puts it into the VirtualHost context).
See my previous email - I *think* it can be done.
>
> Slightly different short answer: you can if you bind the VirtualHost to
> different ports (443 is IANA default for https but you can run it
> *anywhere you want*. Just don't expect the clients to use one that's not
> on port 443 :)
True - we* usually run our https on 8443 and our globus web services on
9443.
*we, being the Open Science Grid and other scientific grid
infrastructures (EGEE, etc.)
>
> Very different answer: you can if you use TLS/SNI. See:
> http://www.rfc-archive.org/getrfc.php?rfc=3546
> This extends the TLS handshake to include several extended attributes,
> among the server_name. Guess what that gets used for?
We use extended attributes for grid job submissions (think
geographically separated batch job submissions to extremely diverse
compute resources). We use the user DN + Virtual Organization and Role
extended attributes to map users to local UIDs for running the jobs.
What purpose are you using extended attributes for?
Cheers,
Dan
--
Dan Yocum
Fermilab 630.840.6509
yocum@xxxxxxxx, http://fermigrid.fnal.gov
Fermilab. Just zeros and ones.
|
