导航栏

HTTPS配置多证书的问题(zz)

发表于:技术相关 2009-12-034:04 阅读量:1,094

http://hi.baidu.com/aullik5/blog/item/2b824411215516f6c3ce7938.html

今天电梯里同事问起我多个HTTPS的证书要配置在一个服务器上,有没有办法?我也没仔细考虑,就说肯定可以的,因为证书是根据域来签发的。

结果后来同事又来找我,说不行,我查了下资料,又咨询了一些对证书比较熟悉的同事,发现确实是不行,我犯了一个经验主义的错误。

参考Apache的官方文档:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

NameVirtualHost 192.168.1.1:80
Other workaround solutions include:

Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.
根据这段描述可以得知,一个apache的vhost是无法获取到https请求中域的信息的,因为请求不带域的信息,只带了端口和IP的信息,所以apache只能够以端口和IP来判断颁发哪张证书。

如果实在想在一台服务器上配置多个证书怎么办?

  1. 配置多个IP
  2. 使用不同端口

两个方法都很山寨,但是由于目前协议的限制,所以这个问题也就是这样了,一些专业的SSL加速设备厂商目前也没有去解决这个问题。

囧~~