 |
 |
Domain Technologie Control Forum
Take the control of your domain name
|
|
|
|
|
|
|
|
|
|
|
gplhost
Site Admin
Joined: 16 Feb 2005
Posts: 3702
Location: Tampa, florida and Singapore, Malaisia
|
 Posted: Mon Oct 06, 2008 4:55 am Post subject: When accessing https, I always get to the same site, why? |
  |
|
This is because one certificate can be set for only one IP address. In other words (unless you want to share one certificate for multiple website, which WILL produce errors as well anyway):
- 1 IP = 1 https site
- 1 https site = 1 IP
So if you are using https://dtc.example.com/, then ANY other site with the same IP address as dtc.example.com WILL go to what's configured for dtc.example.com. This is NOT a bug in DTC, this is a FLAW in the way https is designed.
Here is why (note: this is a simplified version so everybody understand):
When your web server receives a https request, everything is encrypted, including the part of the request that is telling what site the user wants to browse. To know how to decrypt the request, your web server needs to know what SSL key to use. And to know what SSL key to use, it needs to know what website we are talking about. And to know what website to use, you need to know what key to use. This goes in an unsolvable loop... So the only way is to use the same SSL key always, for a give IP address, and a given key is designed to work for ONLY one website.
The way to solve this is to make it so your browser would send IN CLEAR, and BEFORE SSL encryption starts, what website it wants to talk to. Unfortunately, this new protocol is not ready in some browsers, and not at all ready in Debian.
So, in short, it is perfectly normal that when you browse https://any-website-with-same-ip/ that it goes to https://the-only-site-that-should-reply-with-ssl/, as this is the way the protocol works. And this also includes https://dtc.example.com where the DTC panel is running.
_________________
GPLHost:>_ Opensource hosting worldwide
Xen hosting with DTC pre-setup
Helping is not easy when request is not precise: please past logs, don't use "it said" or similar impersonal subjects, and try to be verbose and exhaustive on your problem description. |
|
| |
|
|
|
|
|
|
|
|
whitlebitle
Joined: 29 Feb 2008
Posts: 99
|
| Posted: Mon Oct 06, 2008 9:14 pm Post subject: |
|
|
So, we can offer ssl with this steps:
Import new IPs in Debian first, then import that ips in DTC and then offer that to customer? |
|
| |
|
|
|
|
|
|
|
|
gplhost
Site Admin
Joined: 16 Feb 2005
Posts: 3702
Location: Tampa, florida and Singapore, Malaisia
|
| Posted: Tue Oct 07, 2008 2:52 am Post subject: |
|
|
That's already how it works if you go in "ssl IPs" in "general config", yes.
Thomas
_________________
GPLHost:>_ Opensource hosting worldwide
Xen hosting with DTC pre-setup
Helping is not easy when request is not precise: please past logs, don't use "it said" or similar impersonal subjects, and try to be verbose and exhaustive on your problem description. |
|
| |
|
|
|
|
|
|
|
|
malabarbigou
Joined: 01 Jun 2008
Posts: 206
|
| Posted: Tue Oct 07, 2008 12:24 pm Post subject: |
|
|
| Yes, but apache grouse with your vhosts.conf : "[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!" |
|
| |
|
|
|
|
|
|
|
|
gplhost
Site Admin
Joined: 16 Feb 2005
Posts: 3702
Location: Tampa, florida and Singapore, Malaisia
|
| Posted: Tue Oct 07, 2008 12:28 pm Post subject: |
|
|
Did you enter a site name instead of an IP address??? Seems so...
Thomas
_________________
GPLHost:>_ Opensource hosting worldwide
Xen hosting with DTC pre-setup
Helping is not easy when request is not precise: please past logs, don't use "it said" or similar impersonal subjects, and try to be verbose and exhaustive on your problem description. |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
