堆栈内存溢出
  简体   繁体   English

“每个SSL证书需要专用IP”究竟是什么意思?

[英]What exactly does “every SSL certificate requires a dedicated IP” mean?

 原文  2013-04-03 09:46:29       http/ ssl/ https/ ssl-certificate

问题描述

I've read a bit about SSL certificates, and in particular I've read that an SSL certificate "requires a dedicated IP address". 我已经阅读了一些关于SSL证书的内容,特别是我读过SSL证书“需要一个专用的IP地址”。 Now, I'm unsure of the meaning of this; 现在,我不确定这个意思; does it mean that the certificate requires a dedicated IP address separate from the IP address used for normal HTTP communication, or just that it can't share the IP address with other SSL certificates? 这是否意味着证书需要与用于正常HTTP通信的IP地址分开的专用IP地址,或者只是它不能与其他SSL证书共享IP地址?

To clarify, I have a VPS with a dedicated IP address. 为了澄清,我有一个带有专用IP地址的VPS。 The VPS is hosting quite a few different sites, including several subdomains of the main site, but only the main site and the subdomains requires SSL. VPS托管了很多不同的站点,包括主站点的几个子域,但只有主站点和子域需要SSL。 Can I simply purchase an SSL certificate for *.example.com using my current IP address, or do I need to get one that is separate from the other sites on the VPS? 我是否可以使用当前的IP地址为* .example.com购买SSL证书,或者我是否需要获得与VPS上其他站点分开的SSL证书? Or even worse, do I need to get one that is separate from all HTTP traffic on the server? 或者更糟糕的是,我是否需要获得与服务器上所有HTTP流量分开的服务? Keep in mind that none of the other sites needs SSL. 请记住,其他任何网站都不需要SSL。

Thanks for any clarification on the topic. 感谢您对该主题的任何澄清。

Edit: Some sources for my worries: 编辑:我担心的一些消息来源:

http://symbiosis.bytemark.co.uk/docs/symbiosis.html#ch-ssl-hosting http://symbiosis.bytemark.co.uk/docs/symbiosis.html#ch-ssl-hosting

Is it necessary to have dedicated IP Address to install SSL certificate? 是否有必要使用专用IP地址来安装SSL证书?

4 个解决方案

解决方案1
 35 已采纳  2013-04-03 10:07:57

  1. There's no such thing as "SSL certificate". 没有“SSL证书”这样的东西。 The term is misleading. 该术语具有误导性。 X.509 certificates can be issued for different purposes (as defined by their Key Usage and Extended Key Usage "properties"), in particular for securing SSL/TLS sessions. X.509证书可以用于不同目的(由其密钥用法和扩展密钥用法“属性”定义),特别是用于保护SSL / TLS会话。

  2. Certificates don't require anything in regards to sockets, addresses and ports as certificates are pure data. 证书对套接字,地址和端口不需要任何内容​​,因为证书是纯数据。

  3. When securing some connection with TLS, you usually use the certificate to authenticate the server (and sometimes the client). 在使用TLS保护某些连接时,通常使用证书来验证服务器(有时是客户端)。 There's one server per IP/Port, so usually there's no problem for the server to choose what certificate to use. 每个IP /端口有一个服务器,因此通常服务器选择使用哪个证书没有问题。

    HTTPS is the exception — several different domain names can refer to one IP and the client (usually a browser) connects to the same server for different domain names. HTTPS是例外 - 几个不同的域名可以引用一个IP,而客户端(通常是浏览器)连接到不同域名的同一服务器。 The domain name is passed to the server in the request, which goes after TLS handshake. 域名在请求中传递给服务器, TLS握手之后。

    Here's where the problem arises - the web server doesn't know which certificate to present. 这就是出现问题的地方 - Web服务器不知道要出示哪个证书。 To address this a new extension has been added to TLS, named SNI (Server Name Indication). 为了解决这个问题,在TLS中添加了一个新的扩展名,名为SNI(服务器名称指示)。 However, not all clients support it. 但是,并非所有客户都支持它。 So in general it's a good idea to have a dedicated server per IP/Port per domain. 因此,一般来说,每个域的每个IP /端口都有一个专用服务器是个好主意。 In other words, each domain, to which the client can connect using HTTPS, should have its own IP address (or different port, but that's not usual). 换句话说,客户端可以使用HTTPS连接的每个域应该有自己的IP地址(或不同的端口,但这不常见)。

解决方案2
 5  2013-04-03 09:52:15

SSL certificates do not require a dedicated IP address. SSL证书不需要专用IP地址。 SSL certificates store a so called common name . SSL证书存储所谓的通用名称 Browser interpret this common name as the DNS name of the server they are talking to. 浏览器将此通用名称解释为与其通信的服务器的DNS名称。 If the common name does not match DNS name of the server that the browser is talking to, the browser will issue a warning. 如果公用名与浏览器正在与之通信的服务器的DNS名称不匹配,则浏览器将发出警告。

You can get a so called wildcard certificate , that would be admissible for all hosts within a certain domain. 您可以获得所谓的通配符证书 ,该证书可以被特定域内的所有主机使用。

解决方案3
 3  2015-12-08 02:26:44

...following up on @Eugene's answer with more info about the compatibility issue... ...跟进@ Eugene的回答,了解有关兼容性问题的更多信息......

According to this page from namecheap.com SNI does not work on: 根据namecheap.com的这个页面, SNI不适用于:

  • Windows XP + any version Internet Explorer (6,7,8,9) Windows XP +任何版本的Internet Explorer(6,7,8,9)
  • Internet Explorer 6 or earlier Internet Explorer 6或更早版本
  • Safari on Windows XP Windows XP上的Safari
  • BlackBerry Browser 黑莓浏览器
  • Windows Mobile up to 6.5 Windows Mobile最高6.5
  • Nokia Browser for Symbian at least on Series60 适用于Symbian的诺基亚浏览器至少在Series60上
  • Opera Mobile for Symbian at least on Series60 适用于Symbian的Opera Mobile至少在Series60上

Web site will still be available via HTTPS, but a certificate mismatch error will appear. 网站仍将通过HTTPS提供,但会出现证书不匹配错误。

Thus, as we enter 2016 I would venture to stick my neck out there and say, "If you're building a modern website anyway (not supporting old browsers), and if the project is so small that it cannot afford a dedicated IP address, you'll probably be fine relying on SNI." 因此,当我们进入2016年时,我会冒昧地伸出脖子说:“如果你正在构建一个现代化的网站 (不支持旧的浏览器),如果项目太小而无法提供专用的IP地址,你可能会很好地依赖SNI。“ Of course, there are thousands of experts who would disagree with this, but we're talking about being practical , not perfect. 当然,有成千上万的专家不同意这一点,但我们谈论的是实用 ,而不是完美。

解决方案4
 0  2013-04-03 09:50:22

The ssl certificate commmon name has to match the domain name. ssl证书commmon名称必须与域名匹配。 You don't have any requisite over the ip address, unless it's a limitation imposed by the certificate provider or the http server software. 您对IP地址没有任何必要条件,除非它是由证书提供商或http服务器软件强加的限制。

Edit : looking into the web, it seems that the rumor has been spread because Apache's ssl plugin doesn't have (at least it didn't have in 2002) any mechanism to use different certificate based on the hostname. 编辑 :看看网络,似乎传闻已经传播,因为Apache的ssl插件没有(至少它没有在2002年)任何机制使用基于主机名的不同证书。 In such scenario you would have to run two different Apache web servers on the two different IP addresses. 在这种情况下,您必须在两个不同的IP地址上运行两个不同的Apache Web服务器。

Anyway in your configuration you shouldn't have any problem using only one IP because you don't have to use two different certificates (because you plan to use a wildcard certificate). 无论如何,在您的配置中,只使用一个IP就不会有任何问题,因为您不必使用两个不同的证书(因为您打算使用通配符证书)。

I would try anyway configuring the webserver with a self signed certificate before spending money for a second ip or certificate. 我会尝试使用自签名证书配置网络服务器,然后花钱购买第二个IP或证书。

Edit 2 : reference apache documentation: 编辑2 :参考apache文档:

http://httpd.apache.org/docs/2.2/vhosts/name-based.html http://httpd.apache.org/docs/2.2/vhosts/name-based.html

It seems like now (apache >= 2.2.12) it is supported 它似乎现在(apache> = 2.2.12)得到支持

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 “持久连接”到底意味着什么? - What exactly does a “persistent connection” mean? HTTP/1.1 302 到底是什么意思? - What does HTTP/1.1 302 mean exactly? REST究竟是什么意思?它是什么,为什么它现在变大了? - What exactly does REST mean? What is it, and why is it getting big now? HTTP或jquery $ .ajax超时到底意味着什么? - What exactly does a HTTP or jquery $.ajax timeout mean? 我可以获得 IP 地址的 SSL 证书吗? - Can I get an SSL certificate for an IP address? 浏览器如何请求 SSL 证书? - How does a browser request a SSL certificate? 这个回应是什么意思? - What does this response mean? 如何理解`当你直接连接到443端口(https://IP:443)上的IP时,SSL证书被暴露了`? - How to understand `when you connect directly to the IP on port 443 (https://IP:443), the SSL certificate is exposed.`? ^符号在URL中的含义是什么? - What does a ^ sign mean in a URL? 这个重写规则是什么意思? - What does this Rewrite rule mean?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM