Web Server – Offer Multiple TLS Certificates

certificateconfigurationhttpsslweb-server

Let's say I have a TLS certificate for a domain but I'm not sure if all user agents potentially connecting over HTTP would accept it. Can I obtain another certificate, signed by another certificate authority, and use it in such cases as a fallback, transparently to the user? If it's possible, how would the client-server communication to establish a secure connection proceed? And is this use case well known and supported in configuration of popular HTTP servers?

I know there are similar questions but they ask about varying the used certificate by subdomain (possible) or path prefix (impossible IIUC because at negotiation time the server knows only the authority, not the full Request-URI).

Best Answer

Can a server offer more than one TLS certificate?

A server can support more than one TLS certificate. But it can only offer a single TLS certificate in the TLS handshake with the client. AFAIK that is the limit set in the TLS (handshake) protocol RFC 5246

The capability to support multiple certificates is most frequently used when you have several different domain names that all point to the same server.

Server Name Indication sends the hostname of the server in the TLS handshake made by the client. That allows the server to select the best matching certificate to use for that connection. I.e. the server can then use the certificate for www.example.com when the client indicates that it wants to connect to www.example.com and it can use a different (or default) certificate when the client is connecting with for example only the IP-address, no hostname or a different hostname in the ClientHello message.

In addition to the server name from the ClientHello TLS handshake message a server can be configured to use other parameters to select a different certificate.

For example when during the TLSv1.2 handshake the client indicates that the first preference is to use elliptic curves rather than RSA , then an ECDSA key/certificate can be offered and for clients that don't, an RSA certificate can be offered instead.
See for example https://www.haproxy.com/blog/serving-ecc-and-rsa-certificates-on-same-ip-with-haproxy/ and/or https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

You can do the same with for example legacy clients that don't support ciphers above TLSv1.0

But once the certificate has been selected by the server, there is no fallback, the client either accepts or rejects the offered certificate.

Related Solutions

MySQL Configuration – How to Bind MySQL Server to Multiple IP Addresses

No, there isn't (I just checked 1 hour ago). You can comment the bind-address in my.cnf:

Note: « 1 hour ago » is now more than 10 years ago.

#skip-networking
#bind-address                   = 127.0.0.1

If you want only 2 IPs, you will then have to use a firewall.

For MySql version 8.0.13 and above, you can specify a list of comma-separated IP addresses.

bind-address = 10.0.0.1,10.0.1.1,10.0.2.1

Relevant MySql documentation.

Remember to restart your MySQL instance after changing the config file.

High Traffic Sites – How Do High Traffic Sites Service More Than 65535 TCP Connections?

You misunderstand port numbers: a server listens only on one port and can have large numbers of open sockets from clients connecting to that one port.

On the TCP level the tuple (source ip, source port, destination ip, destination port) must be unique for each simultaneous connection. That means a single client cannot open more than 65535 simultaneous connections to a single server. But a server can (theoretically) serve 65535 simultaneous connections per client.

So in practice the server is only limited by how much CPU power, memory etc. it has to serve requests, not by the number of TCP connections to the server.

Best Answer

Related Solutions

MySQL Configuration – How to Bind MySQL Server to Multiple IP Addresses

High Traffic Sites – How Do High Traffic Sites Service More Than 65535 TCP Connections?

Related Topic