Wednesday, January 26, 2011

Recommendation for a non-standard SSL port

Hey guys,

On our server I have a single IP, and need to host 2 different SSL sites. Sites have different owners so have different SSL certificates, and can't share the same certificate with SAN.

So as a last resort I have modified the web application to give the ability to use a specified port for secure pages. For its simple look I used port 200. However I'm worried about some visitors may be unable to see the site because of their firewalls / proxies blocking the port for ssl connections. I heard some people were unable to see the website, a home user and someone from an enterprise company, don't know if this was the reason.

So, any recommendations for a non-standard SSL port number (443 is used by the other site) which may work for visitors better than port 200 ? Like 8080 or 8443 perhaps?

Thanks!

  • Using port 200 would definitely be an issue. My users wouldn't be able to see your site on that port.

    8443 is a good compromise. Being standard in Java environments, more professional environments will allow it. I suspect there will still be issues, however.

    SuperDuck : Ah great tip, thanks Warner. Yeah there may always be some issues, but at least it will give a better chance then. I heard the bank, who will check the website for virtual pos application was unable to access the site. Though I'm not sure if this was the problem, I'll try my chance with 8443 =)
    SuperDuck : great! just remembered we had some spare IPs, waiting for the support to adjust the firewall.
    From Warner
  • I present Server Name Indication over SSL. With this, you can have apache listen on one IP:port and browsers will send you the hostname before initiating SSL. All modern browsers support this, unless you're enslaved by IE6 for some reason.

    SuperDuck : thanks for your comment, jldugger. sni was my second hope, as we dropped the support for ie6. however I've noticed that it won't work for XP systems, even if you use the latest IE version. So I guess it needs at least 4 5 years to become usable.
    From jldugger

0 comments:

Post a Comment