SSL listener responding for unmapped virtual hosts

[valera]

Hello,

I have multiple virtual hosts on a single IP. I want to set up an SSL listener on standard port 443 for one virtual host. When I set up this SSL listener and map it to only one virtual host, going to https:// address of any other virtual host on the same IP (not mapped to this listener) presents the SSL certificate of this listener.

Not sure whether this is a bug or whether I am misunderstanding something. How can I make this SSL listener present the SSL certificate only for the mapped virtual host, but not for the unmapped virtual hosts?

Thanks.

 

[mistwang]

as long as those domains pointing to that IP, open port 443 on that IP will open https for all domains. Nobody can prevent that unless you pointing only one domain to that IP, in the other words, that IP is owned by that domain only.
Server will use SNI to determine which SSL certificate will be returned based on the domain name, if not found, the default SSL cert will be returned.

 

[valera]

Thanks for the answer. I see that there are SSL certificate settings on the level of the listener and on the level of the virtual host. How can I set up the SNI solution that you have described? Would this involve setting the listener to the default certificate and setting virtual hosts to domain-specific certificates?

Also, when using this solution, is there a way to make some of these virtual hosts / domains not respond to SSL requests at all - either by timing out or by displaying some kind of error?

 

[mistwang]

How can I set up the SNI solution that you have described? Would this involve setting the listener to the default certificate and setting virtual hosts to domain-specific certificates?

Yes.

Also, when using this solution, is there a way to make some of these virtual hosts / domains not respond to SSL requests at all - either by timing out or by displaying some kind of error?

not possible.