[wp-hackers] Single sign-on SSL domain

Jeremy Visser jeremy at visser.name
Thu Jul 23 02:15:50 UTC 2009 

On Wed, 2009-07-22 at 18:22 -0400, Matt Martz wrote:
> What about using a wildcard cert or SAN (subject alternate name) cert? 
> A SAN cert allows you to protect multiple hostnames and domain names
> with a single cert. 

Have you seen how much wildcard SSL certificates cost? Apart from CAcert
(which is free), all the registrars charge an arm and a leg for one.
Even GoDaddy charges nearly US$200 for one.

Plus the fact that they only work on subdomains.

I've heard of SAN certs, which do work with completely independent
domain names, but I've not looked into pricing or availability. I can
only guess they would be significantly more expensive than an ordinary
certificate.

Scot, if you estimate most of your users are not using IE on Windows XP,
you could look into TLS-SNI. It is supported on Apache with the
mod_gnutls module (instead of mod_ssl), and allows you to serve multiple
SSL certificates (i.e. with name-based virtual hosts) on a single IP
address.

Unfortunately, while TLS-SNI is supported on Linux, Mac OS X, and
Windows Vista, it is only supported on Windows XP if you use a
third-party browser like Firefox. If you use IE6, IE7, or IE8 on XP,
you'll get served the wrong certificate.

I guess you could do a user-agent check to serve IE+XP users a non-SSL
page, as punishment for their sins. Might be worth looking into.

On Wed, 2009-07-22 at 15:00 -0700, Scot Hacker wrote:
> Somehow configure apache to route login requests to a central  
> domain for sign-in. Has anyone tried something like this? Tricky?
> Successful? Pitfalls? Recipes to share? What would need to happen on
> the WP side to work with a system like this? Is it even possible?

I have envisaged this situation myself in the event that a client would
one day require SSL on a site. Presuming each of your WordPress blogs
are at the root of their respective domain, I'd start by symlinking each
domain into subdirectories of your SSL domain:

        [scot at localhost ~/ssldomain.edu]$ ln -s ~/domain.org .
        [scot at localhost ~/ssldomain.edu]$ ln -s ~/mydomain.com .
        [scot at localhost ~/ssldomain.edu]$ ln -s ~/somesite.edu .

Then, I'd edit the wp-config.php file for each, and dynamically set the
WP_HOME and WP_SITEURL constants based on the hostname provided:

        # Single-domain SSL support for domain.org
        if ('ssldomain.edu' == $_SERVER['HTTP_HOST']) {
            define('WP_HOME',    'http://ssldomain.edu/domain.org');
            define('WP_SITEURL', 'http://ssldomain.edu/domain.org');
        }

All your theme images, redirects, etc. would then be pointing to the SSL
domain.

Hope this helps,
Jeremy.

More information about the wp-hackers mailing list