Multiple SSL on one IP
-
Upload
globalsign -
Category
Technology
-
view
446 -
download
0
Transcript of Multiple SSL on one IP
![Page 1: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/1.jpg)
Hosting multiple SSL Certificates on one IP address
![Page 2: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/2.jpg)
More demand and requirements for SSL
• Google • HTTPS by default on all Google
services• HTTPS Everywhere initiativeLatest: • HTTPS used as a ranking signal• SSL users rewarded• Weight in algorithm set to increase
• PCI compliance• Facebook
![Page 3: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/3.jpg)
We are running out of IPv4 addresses
![Page 4: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/4.jpg)
How much time is left?
![Page 5: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/5.jpg)
Can we use IPv6?
• As long as you select a CA who provides revocation checks (CRL, OCSP) over IPv6.
• But it won’t solve your IPv4 problem!
![Page 6: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/6.jpg)
Why do I need a dedicated IP address for SSL?
![Page 7: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/7.jpg)
Request on a non-secure connection
Client
• HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server
• HTTP Reply: Here is the content you requested.
![Page 8: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/8.jpg)
Request on a secure connection
Client• (TLS Handshake) Hello, I support XYZ Encryption.
Server
• (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm.
Client• (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server• (Encrypted) HTTP Reply: Here is the content you requested.
![Page 9: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/9.jpg)
The solution: Server Name Indication
![Page 10: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/10.jpg)
Server Name Indication (SNI)
Client
• (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.globalsign.com'.
Server
• (TLS Handshake) Hi there, here is my public Certificate for www.globalsign.com, and lets use this encryption algorithm.
Client• (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server• (Encrypted) HTTP Reply: Here is the content you requested.
![Page 11: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/11.jpg)
Applications with no SNI Support
• All versions of Internet Explorer on Windows XP• Android 2.x default browser (other browsers like Opera do
support SNI on Android)• BlackBerry Browser• Windows Mobile up to 6.5
![Page 12: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/12.jpg)
Should I use/offer SNI for SSL sites?
• Provide SNI support for free with an SSL Certificate: this will allow each of your customers to have their own individual certificates (with support for higher validation levels, including Extended Validation SSL)
• Combine SNI with a fall back multi domain certificate for users without SNI compatibility - CloudSSL
![Page 13: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/13.jpg)
CloudSSL: One certificate, multiple domains
• One SSL Certificate for multiple domain names from different organisations.
• The certificate contains the hosting company’s details.
• Domain control is verified for each domain.
![Page 14: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/14.jpg)
SNI combined with CloudSSL
![Page 15: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/15.jpg)
With SNI support
![Page 16: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/16.jpg)
Windows XP (has no SNI support)
![Page 17: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/17.jpg)
Two SSL Certificates for one site!
• No additional costs
• Sites can use all types of certificates (including EV)
• Fully automated provisioning of the legacy CloudSSL Certificate
• No email verification needed
• All domain control checks performed automatically by the program
![Page 18: Multiple SSL on one IP](https://reader035.fdocuments.us/reader035/viewer/2022062503/5871e0631a28ab6a7b8b59a1/html5/thumbnails/18.jpg)
Learn morewww.globalsign.com