6

We are currently running a SaaS over HTTPS(abc.net) and one of our clients(xyz.com) wants to do some custom branding. The client xyz.com will have their own subdomain xyz.abc.net which looks like its part of xyz.com when viewed from a web browser.

The client will add CNAME records to their DNS so that the HTTP(S) requests made towards xyz.com will be routed to xyz.abc.net.

The above should work in theory as both xyz.com and *.abc.net have verified Certificates.

But, what will be the certificate that will be visible in the address bar for an average user when they access xyz.com? If the user sees the Certificate of *.abc.net instead of xyz.com, is there any way to change it?

Since there already exists a certificate for *.abc.net, the customer cannot get a new certificate for their subdomain.

I already found this, but it seems a bit different from the above question. also the client does not want to proxy(which requires them to run servers).

Community
  • 1
JOW
  • 2,317
  • 2
  • 17
  • 24
  • dupe of http://security.stackexchange.com/questions/45/what-is-the-best-option-for-setting-up-a-several-sites-supporting-ssl-on-the-same-ip – dave_thompson_085 Aug 13 '15 at 08:24

1 Answers1

10

There is no magic in there: the user will see what the web server sends, and the web server will send what you tell it to send.

You said that both URLs will share the same IP using a DNS CNAME entry, so you will encounter a different behavior depending on the browser supports SNI or not. SNI is supported by all decently recent browsers and allows them to indicate the server name during the early phases of the SSL handshake, thus allowing the web server to select the right certificate to show to the client.

  • With browsers supporting SNI you simply have to configure different virtual hosts (or equivalent depending on your web server) based upon the server name, each on referring to their own certificate but most probably sharing the same document root and other properties.
  • If you would like to support older browsers, when receiving a request from such a browser the web server, having received no server name, will always select the default virtual host and use the configuration contained therein.
    If you would like to be perfectly clean and show the right certificate even for those clients, then you will need to use a different IP for each server name. Otherwise, it will be up to you (hem, your customer) to decide to what extent you tolerate a graceful degradation of your services for clients using old browser (the website will remain reachable in any case for these clients: older - and therefore by definition insecure - browsers will have a security warning mentioning the certificate from the other domain or a specially generated default certificate, depending on your configuration and choice).
psmears
  • 900
  • 7
  • 9
WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • so, if our server is able to present the client's certificate when xyz.com is requested from a SNI enabled web browser, then all is well? – JOW Aug 12 '15 at 12:09
  • 1
    Yes, all is well, that's why SNI is a very good thing :). – WhiteWinterWolf Aug 12 '15 at 12:18
  • thanks. just read that wiki link you sent once again. SNI seems to address this exact question. – JOW Aug 12 '15 at 12:20