I'm wondering, if I have an .htaccess rewrite setup on a virtual subdomain, ie. bm.example.com that has a rewrite to www.example.com/index.php?u=someId and I have an SSL certificate on www.example.com, will I run into problems if I try and access https://bm.example.com?
+2
A:
The connection should go through, but you'll probably get a hostname mismatch, unless your SSL certificate is set for *.mysite.com. SSL certificates with wildcards are typically a bit more expensive, so someone can't just purchase a wildcard SSL certificate and use it for phishing and other nefarious uses.
EvilChookie
2009-10-01 18:38:45
A:
Relevant parts from rfc2818 HTTP Over TLS:
If the hostname is available, the client MUST check it against the server's identity as presented in the server's Certificate message, in order to prevent man-in-the-middle attacks.
If the client has external information as to the expected identity of the server, the hostname check MAY be omitted. (For instance, a client may be connecting to a machine whose address and hostname are dynamic but the client knows the certificate that the server will present.) ... In special cases, it may be appropriate for the client to simply ignore the server's identity, but it must be understood that this leaves the connection open to active attack.
If the hostname does not match the identity in the certificate, user oriented clients MUST either notify the user (clients MAY give the user the opportunity to continue with the connection in any case) or terminate the connection with a bad certificate error.
Automated clients MUST log the error to an appropriate audit log (if available) and SHOULD terminate the connection (with a bad certificate error). Automated clients MAY provide a configuration setting that disables this check, but MUST provide a setting which enables it.
J.F. Sebastian
2009-10-01 18:57:50