[Cherokee] question about several ssl enabled virtual hosts

[Alvaro Lopez Ortega]

On 06-jul-09, at 17:08, Michiel van Es wrote:

>> However, whenever an old browser (without SNI support) accesses your
>> server (let's say an IE 6) the SSL handshake will be perform using  
>> the
>> default certificate. The problem is basically the timing: the first a
>> SSL connection does is the handshake between server and client
>> (sending/receiving the certs), and only when the secure connection is
>> stabilised, the browser sends the HTTP request. The main problem is  
>> that
>> the server does not know what vserver the client wants to access  
>> until
>> it doesn't receive that HTTP request.
>>
>>> I mean: would you find it acceptable if you connect to a server  
>>> but got
>>> the wrong SSL certificate (a certificate of another server). What  
>>> is the
>>> use of certificates if the name not match? And how would you tell  
>>> the
>>> difference with a man in the middle attack?
>>
>> It is an issue, indeed.
>
> Are you considering to implement the *old* setup? Binding certificates
> to an ip-adress?


I did. When I wrote the target_ip plug-in I thought that it'd work..  
however, I missed a little detail that rendered it useless for this  
sort of scenario.

I'd agree on implementing the old method as long as it doesn't mess  
the code. I haven't found to way so far.. so I couldn't tell you for  
sure.

Antonio worked on the cryptor-libssl plug-in for a while, and he is  
willing to check it out. Let's hope he comes up with some brilliant  
solution! :-)

--
Greetings, alo
http://www.alobbs.com/