From: wde <wd...@fr...> - 2009-09-29 21:27:30
|
I can't estimate the support of this extension by the browsers, but seems to work for FX 2.0 and IE 6.0. I got this extension in the google.com certificate : X509v3 Subject Alternative Name: DNS:google.com, DNS:*.google.com In fact in a case where I have only one server and one IP, and I would like to serve https://www.mydomain.com and https://mydomain.com I tried this "trick" :+) ======= le 29/09/2009, 22:20:27 vous écriviez: ======= >wde wrote: > >> >> For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). >> > >So this is the problem - the certificate must be sent on the socket before >we get the Host header. >I honestly don't see any real use of this feature since I don't believe >browsers support this - at least they didn't - has this changed ? > >/klacke > = = = = = = = = = ========= = = = = = = = = = = wde wd...@fr... 29/09/2009 |
From: wde <wd...@fr...> - 2009-09-30 06:39:15
|
I found this article : http://wiki.cacert.org/VhostTaskForce#Interoperability_Test ======= le 29/09/2009, 22:20:27 vous écriviez: ======= >wde wrote: > >> >> For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). >> > >So this is the problem - the certificate must be sent on the socket before >we get the Host header. >I honestly don't see any real use of this feature since I don't believe >browsers support this - at least they didn't - has this changed ? > >/klacke > = = = = = = = = = ========= = = = = = = = = = = wde wd...@fr... 30/09/2009 |
From: Torbjorn T. <to...@to...> - 2009-09-30 07:17:16
|
wde wrote: > I found this article : > > http://wiki.cacert.org/VhostTaskForce#Interoperability_Test This looks great! --Tobbe > > > > ======= le 29/09/2009, 22:20:27 vous écriviez: ======= > >> wde wrote: >> >>> For the certificate generation, I used the extension subjectAltName (in which I set all virtual hosts). >>> >> So this is the problem - the certificate must be sent on the socket before >> we get the Host header. >> I honestly don't see any real use of this feature since I don't believe >> browsers support this - at least they didn't - has this changed ? >> >> /klacke >> > > = = = = = = = = = ========= = = = = = = = = = = > > wde > wd...@fr... > 30/09/2009 > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf |
From: Claes W. <kl...@ta...> - 2009-09-30 14:03:27
|
wde wrote: > I found this article : > > http://wiki.cacert.org/VhostTaskForce#Interoperability_Test > Ok - interesting. It appears I was wrong, good. So it's the last column in the table that works on all browsers. CN + SubjAltName How do you generated the cert you use? Does anyone know if CAs will accept CSRs with these attributes set? If they don't all this is also moot. /klacke |
From: wde <wd...@fr...> - 2009-09-30 15:24:03
Attachments:
openssl.cnf
|
In my openssl.cnf file I have the the following sections for the subject alternative names [sslserver] ... subjectAltName = @aliases [aliases] DNS.1 = bla.com DNS.2 = super.bla.com To generate keys : openssl req -new -config ./openssl.cnf -newkey rsa:1024 -nodes -keyout yaws.ppk -out yaws.csr To sign the CSR with the extensions : openssl ca -config ./openssl.cnf -extensions sslserver -in yaws.csr -out yaws-cert.pem ======= le 30/09/2009, 16:03:11 vous écriviez: ======= >wde wrote: >> I found this article : >> >> http://wiki.cacert.org/VhostTaskForce#Interoperability_Test >> > >Ok - interesting. It appears I was wrong, good. >So it's the last column in the table that works on >all browsers. CN + SubjAltName > >How do you generated the cert you use? > >Does anyone know if CAs will accept CSRs with >these attributes set? If they don't all this is also moot. > > > > >/klacke > = = = = = = = = = ========= = = = = = = = = = = wde wd...@fr... 30/09/2009 |
From: Claes W. <kl...@ta...> - 2009-10-03 20:40:49
|
wde wrote: > In my openssl.cnf file I have the the following sections for the subject alternative names Ok - I'm happy - all this looks good and I'd be happy to include this - how do you want to proceed .. maybe we should take this off list? /klacke |