CAcert System Admins discussion list

[Emdy <emdy AT atikotek.com>]

Hi all,
During implementation process of these free SSL, i found out, my Hosting 
Service Provider company can only implement SSL against a dedicated IP 
address, not for a virtual host (like me) which uses 1 common shared IP 
for all hosts in 1 hosting server, which(IP) i will have to purchase for 
US$2.5/monthly, which is close to my hosting monthly fees, is a lot of 
fee. So free SSL cannot be implemented for Free.
CAcert root certificate needs to be included in Firefox, so that server 
cert doesn't cause warning in the browser softwares, and along with 
that, the support for SNI (Server Name Indication) (its a TLS extension, 
mod_gnutls) needs to be improved as well, which allows a hosting server 
with 1 IP to be shared/used for binding different SSL certificates to 
each of its virtual hosts, without dedicated/individual IP for each 
virtual hosts.
When more and more people and companies will start to get these free 
SSLs and they will want to use it in their existing hosting package 
obviously, then many will face the problem of having dedicated IP and 
the cost and resource related with it.  The cheaper and smarter and 
alternative solution is to implement the SNI mod utility effectively.  
Unless this new technology is Perfected more, the implementation of free 
SSL will not really be free, at least not in shared hosting environment, 
which is THE major environment that most businesses uses. More and more 
Linux should have complete support for this or include this package 
(mod_gnutls). Another thing related is the Control Panel software which 
allows to inquiry and configure various settings in a shared environment 
for its virtual hosts. If it cannot understand the relationship of each 
virtual host name and the SSL files its using, then implementation of 
free SSL will be very hard.
Beside having a feature of using only 1 ip for all virtual hosts with 
their own SSL, in a Hosting environment is good for the service provider 
and service receiver. And those who are not using hosting 
service/environment, even they can use only 1 public IP address for 
multiple web-sites, each with their own SSL certificates, without having 
multiple server, or multiple IP addresses.
If you know of such implementation, open-source utilities, then 
share/discuss with us, thanks.
Don't forget to add this email cacert-sysadm AT lists.cacert.org 
<mailto:cacert-sysadm AT lists.cacert.org> in your reply.
Best regards,
~ Emdy.
Few helpful links :
SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls :
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/.
How to use SNI : http://fedoranews.org/cms/node/2875 ;.
How To Enable Multiple HTTPS Sites With 1 IP On Debian Etch Using TLS 
Extn :
http://howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch 
.
Paul found a way to use mod_gnutls for implementing TLS SNI :
http://journal.paul.querna.org/articles/2005/04/24/tls-server-name-indication/?postid=70 
.
TLS upgrade : http://corelands.com/blog/?postid=51 ;.
mod_ssl : http://httpd.apache.org/docs/2.1/mod/mod_ssl.html#sslengine ;.
mod_gnutls : http://www.outoforder.cc/projects/apache/mod_gnutls/ ;.
SNI (Server Name Indication) : RFC-3546 section 3.1 :
http://www.ietf.org/rfc/rfc3546.txt ;.