ispconfig 3.0.4.6 allows SSL to be enabled on multiple sites with same IP

[ronee]

Currently with ispconfig v3.0.4.6 it is possible to configure more than one site assigned to the same IP with SSL enabled.

If there is a signed cert on one site and a self signed cert on another, the results appear to be inconsistent where the SSL data served is a strange hybrid between the two.

I wanted to mention this as imho, ispconfig should only allow SSL to be enabled on a given site if no other sites assigned to that IP have SSL enabled. Changing the IP of an SSL enabled site should also be restricted so that two sites with SSL enabled are not inadvertently assigned to the same IP.

This is particularly important where multiple users have access to various sites (but not all) on a given server, an accidental or unknowing change of IP by one user on an SSL enabled site can cause issues that are not immediately apparent.

[till]

Quote:

If there is a signed cert on one site and a self signed cert on another, the results appear to be inconsistent where the SSL data served is a strange hybrid between the two.

This depends on the browser that you use. Take a look at wikipedia and search for sni ssl to get a list which browsers support sni.

Beside that, the behaviour of your system depends on the settings that you have made in the ispconfig interface and the things you mentioned above are already avilable, you just have not enabled them. You can disable sni under System > server config > web if you dont want to allow multiple ssl sites on one IP or if you can not ensure that all users use a sni capable browser and you can assign a IP address to one customer if you want to ensure that no other customer uses it.

As a genaral note, I use sni on several customer servers, it workks fine and the results are consistent.

[ronee]

Thanks very much, Till, that makes sense.

One other question about that -- is there a way within ispconfig to control which cert is to be used as the default certificate for those browsers / clients that do not support SNI?

[till]

SNI sites behave the same like non ssl namebased vhosts. So if no domain matches the site(s), the first site in alphabetical order is shown that uses the same IP address. If you want a specific site to be shown first, just change the domain name.

Example the site example.com shall be shown first:

1) Change the domain name example.com in the site settings to 000example.com
2) Add example.com as aliasdomain to the site 000example.com