Just wondering about multiple website SSL certificates

golowenow

I run X2 with 2 completely different websites. In other words two separate domains. Am wondering if the new version of Abyss will support multiple SSL certificates and be able to assign the appropriate certificate for the requested website? If this is not so then perhaps that would be a suggestion for the new version.

Moxxnixx

Hi golowenow,
Yes, you will be able to use multiple certificates for different domains with X2.
This feature is in the beta now.

golowenow

Thank you very kindly for the quick response! Abyss rocks!

aprelium-beta

golowenow wrote
I run X2 with 2 completely different websites. In other words two separate domains. Am wondering if the new version of Abyss will support multiple SSL certificates and be able to assign the appropriate certificate for the requested website? If this is not so then perhaps that would be a suggestion for the new version.

Unfortunately the answer is not a full "yes". It depends. Actually, there is a limitation in the SSL protocol itself to have only a single certificate on a given port/IP address.
So the solutions to have two SSL websites on the same computer are the following:
* Both hosts will not share the same port/IP. In other words, you can have each of them use its own port or have both of them using the same port but configure "Bind to IP" to a different IP address (assuming you have two network cards or two different routers).
* You can purchase a single certificate with two different domain names in it (some certification authorities support that feature and can generate such certificates).
* If both domain names differ slightly (for example mail.mysite.com and www.mysite.com), you can get a single certificate for *.mysite.com and use it for both of them.
Please find below the explanation of this SSL limitation which affects all web servers on the market:
* When you type https://www.mysite.com/path/to/page.html in your browser, it will contact the IP corresponding of www.mysite.com on port 443 (the default HTTPS port).
* As soon as the connection is accepted, the SSL negciation starts: the browser will send a list of encryption systems it handles to the server, and the server will choose one of them for subsequent communications.
* Next, the server will send the SSL certificate to the browser.
* The browser will decode the certificate, validate it (by verifying some checksums)
* If everything is fine, the real HTTP dialog can start.
* The browser will send the following request (using the the public key contained in the SSL certificate already exchanged):

GET /path/to/page.html HTTP/1.1
Host: www.mysite.com
User-Agent: Mozilla 5/0

Note that it's only at that stage that the Host header has been sent by the browser. It's already late for the server to change the SSL certificate.
That's why it is primordial that the SSL certificate on the port 443 in that case matches with www.mysite.com . Otherwise, the browser will report that the name of domain in the certificate received by the server is not the same as the one you have tried accessing.
Hopefully, things are changing and a new version of SSL (not yet standardized) will overcome that limitation. But it is not yet supported by most browsers. So we have to wait for a few years until more browsers with that feature will become widely available.

Moxxnixx

I'm only using 1 certificate, so I wasn't aware of these limitations.
Thanks for clarifying.

JOhnMag4u

When you say use 2 IP addresses, do you mean 2 different local address or two different external address?

aprelium-beta

JOhnMag4u wrote
When you say use 2 IP addresses, do you mean 2 different local address or two different external address?

If your server is to be accessed from people outside your LAN, then you need 2 different external addresses.
If your server is to be used locally only, 2 local IP addresses are required (this is usually easy to have as you'll only have to configure your network card to have 2 IPs).

rrinc

Oh, so we can have several domains with hosts on the same IP and use separate certificates for each?

aprelium-beta

rrinc wrote
Oh, so we can have several domains with hosts on the same IP and use separate certificates for each?

You cannot have several different certificates for the same IP and the same port. That's the main problem with SSL and that's what we've tried to explain in our post above.

JOhnMag4u

How difficult is to host a secure site on a non-standard port? Can you suggest any articles or reading? Does X2 help with the process?

aprelium-beta

JOhnMag4u wrote
How difficult is to host a secure site on a non-standard port? Can you suggest any articles or reading? Does X2 help with the process?

There is no difficulty. If the non standard port is for example 4430, the URL will look like https://mysite:4430 instead of https://mysite (if you were using the default HTTPS port 443).
On the network side, you'll have to configure your router to forward that port to the computer where Abyss Web Server is running (just as you did for port 80 if you configured the server to serve HTTP sites).

rrinc

aprelium-beta wrote

rrinc wrote
Oh, so we can have several domains with hosts on the same IP and use separate certificates for each?

You cannot have several different certificates for the same IP and the same port. That's the main problem with SSL and that's what we've tried to explain in our post above.

So, I can't have 2 domains pointing to the same IP, each with its own host and ssl certificate? The two domains and hosts would be separate. Would the problem only arise if the user visited both domains?

TRUSTAbyss

Hello rrinc,
With SSL, the certificate must be assigned to a Host on a given port. This means that only one Host can use the default port 443 for SSL. All other Hosts will need to use a different port. The only workaround for running your hosts on the same default SSL port, is to give each Host their own IP Address. This is a limitation of OpenSSL, and not Abyss Web Server.
Kind regards, Josh

rrinc

Could this change in the future?

TRUSTAbyss

Yes! They already have a workaround but most browsers don't even support it yet. Aprelium is considering on adding it in the future when it's more widely supported.
Note: When I say workaround, I mean that OpenSSL has that workaround.

golowenow

Do you have a link on information about this workaround?

TRUSTAbyss

No, but Aprelium could probably point you to the right website. Sorry, but I'm not sure what to search for, I just heard about it from Aprelium.

aprelium-beta

golowenow wrote
Do you have a link on information about this workaround?

There is no workaround. If a server is going to have virtual SSL certificates support, this support must be hard wired inside it.
A server with that feature will not be able to work correctly with a browser that does not support it. So as explained above, we're not going to add it unless current browsers start supporting it at a wide scale.
Once again, this limitation is set by the SSL protocol and all web servers are affected by it. Please refer to http://en.wikipedia.org/wiki/Virtual_hosting for more information. For the advanced technical description of that feature, please refer to "Server Name Indication" section in http://tools.ietf.org/html/rfc4366#page-9 (this document describes the low level TLS protocol and assumes SSL/TLS internal knowledge).

Ian McPherson

Hi,
Multi-domain SSL certificates could overcome these limitations, yes? GoDaddy offer certificates that can cover up to 100 domains, although I can't admit to being anything like that organised, as yet... :)
https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979
Ian

aprelium

Ian McPherson wrote
Multi-domain SSL certificates could overcome these limitations, yes?
Ian

Yes it can. Actually, a multi-domain certificate is a single certificate which is valid for more than one host name. Being a single certificate, it does not cause any problems (as those explained above).