CAcert System Admins discussion list

["Sam Johnston" <samj AT samj.net>]

On Wed, Jun 18, 2008 at 2:11 AM, Emdy <emdy AT atikotek.com> wrote:

Hi all,
During implementation process of these free SSL, i found out, my Hosting
Service Provider company can only implement SSL against a dedicated IP
address, not for a virtual host (like me) which uses 1 common shared IP
for all hosts in 1 hosting server, which(IP) i will have to purchase for
US$2.5/monthly, which is close to my hosting monthly fees, is a lot of
fee. So free SSL cannot be implemented for Free.

SNI should eventually fix this, but in the mean time it's not our fault.
 

CAcert root certificate needs to be included in Firefox, so that server
cert doesn't cause warning in the browser softwares, and along with
that, the support for SNI (Server Name Indication) (its a TLS extension,
mod_gnutls) needs to be improved as well, which allows a hosting server
with 1 IP to be shared/used for binding different SSL certificates to
each of its virtual hosts, without dedicated/individual IP for each
virtual hosts.

Ok, as I was saying above... and we're working on browser inclusion but there are things that need to be sorted first.
 

When more and more people and companies will start to get these free
SSLs and they will want to use it in their existing hosting package
obviously, then many will face the problem of having dedicated IP and
the cost and resource related with it.  The cheaper and smarter and
alternative solution is to implement the SNI mod utility effectively.

Actually it's not just the module... the user agents need to deal with it too, and you've got a /lot/ less control over them.
 

Unless this new technology is Perfected more, the implementation of free
SSL will not really be free, at least not in shared hosting environment,
which is THE major environment that most businesses uses. More and more
Linux should have complete support for this or include this package
(mod_gnutls). Another thing related is the Control Panel software which
allows to inquiry and configure various settings in a shared environment
for its virtual hosts. If it cannot understand the relationship of each
virtual host name and the SSL files its using, then implementation of
free SSL will be very hard.
Beside having a feature of using only 1 ip for all virtual hosts with
their own SSL, in a Hosting environment is good for the service provider
and service receiver. And those who are not using hosting
service/environment, even they can use only 1 public IP address for
multiple web-sites, each with their own SSL certificates, without having
multiple server, or multiple IP addresses.

Ok, but what did you want/expect us to (be able to) do about it?
 

If you know of such implementation, open-source utilities, then
share/discuss with us, thanks.

Again, browser support is the limiting factor here moreso than on the server side... if I understand well our certificates will work with SNI out-of-the-box.

Sam
 

Don't forget to add this email cacert-sysadm AT lists.cacert.org
<mailto:cacert-sysadm AT lists.cacert.org> in your reply.
Best regards,
~ Emdy.
Few helpful links :
SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls :
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/.
How to use SNI : http://fedoranews.org/cms/node/2875 .
How To Enable Multiple HTTPS Sites With 1 IP On Debian Etch Using TLS
Extn :
http://howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch
.
Paul found a way to use mod_gnutls for implementing TLS SNI :
http://journal.paul.querna.org/articles/2005/04/24/tls-server-name-indication/?postid=70
.
TLS upgrade : http://corelands.com/blog/?postid=51 .
mod_ssl : http://httpd.apache.org/docs/2.1/mod/mod_ssl.html#sslengine .
mod_gnutls : http://www.outoforder.cc/projects/apache/mod_gnutls/ .
SNI (Server Name Indication) : RFC-3546 section 3.1 :
http://www.ietf.org/rfc/rfc3546.txt .


_______________________________________________
CAcert-sysadm mailing list
CAcert-sysadm AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-sysadm