[olug] Building a web server for both security and performance in 2011

Rob Townley rob.townley at gmail.com
Sat Sep 3 23:46:51 UTC 2011


On Thu, Sep 1, 2011 at 12:12 PM, Barry Von Ahsen <barry at vonahsen.com> wrote:
> wildcard certs on the address bar aren't any different, but as mentioned, if
> you view the cert, it will show as *.domain.com
>
>
> for the multiple ssl question, on older versions of apache, you had to use
> one ip with multiple ports, or multiple ips on 443.  newer versions of
> apache, combined with newer versions of openssl, support SNI, which will do
> multiple ssl sites on one ip and port
>
> http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
>
> -barry

Some clients can not do the the TLS handshake, but now that is a
client that really needs to update to firefox.
TLS escalation has had some vulnerabilities, but it is still better
than sending a password in the clear.  Vyatta.org, did you hear me the
other day on the phone?

StartSSL has a $50.00 option (well now it is $59) to get multiple
domains both wildcard and UCC / SAN / SNI.
The tricky part is you have to know all the alternate domain names to
be used with this certificate in advance and so do some reading and
plan the domain names to be included:
http://langui.sh/2009/02/28/openssl-sanucc-certificate-generation/



More information about the OLUG mailing list