[pubcookie-users] Pubcookie virtual host support
dors at cac.washington.edu
Sun Jan 26 12:05:16 PST 2003
On Fri, 24 Jan 2003, Jon Miner wrote:
> You can't have multiple SSL virtual hosts with a single cert/key..
There is probably an explanation for this, somewhere
deeper than we've gone so far.
In terms of mod_ssl configuration, SSLCertificateFile
and SSLCertificateKeyFile define the cert/key used
for SSL connections to each virtual host. Since these
settings are separate from mod_pubcookie's we know
that this isn't the problem.
The problem may be that when mod_pubcookie
initializes itself it loads and stores a single
cert/key for its integrity checks on session
cookies. But it seems like this should still work:
the virtual hosts simply share the same cert/key
for integrity checks. That may not be ideal, but it
doesn't mean it cannot work. So, what else is there?
Well, mod_pubcookie also loads and stores a DES key
based on the current hostname (e.g. for www.foo.edu
it loads /usr/local/pubcookie/keys/www.foo.edu)
Here it would seem possible that one could configure
multiple virtual hosts on an application server
provided that the login server has multiple copies
of the same DES key loaded by mod_pubcookie, one
copy for each virtual host, each copy stored in a
filename based on one of the virtual host names.
The tricky part would be determining which virtual
host loads the DES key, because that's the host
you'd want to use with the keyclient and make copies
from the resulting key.
But maybe there is other logic within mod_pubcookie
that would thwart this pseudo-solution...
PS: Go Raiders!!
More information about the pubcookie-users