The following is an !excellent! clarification of the mod_ssl FAQ re use
of NBVH for SSL. If some of this were added to the FAQ it would
eliminate a fair number of posts to this list ;)
Thanks Dana!
James Moore
On 9 Aug 00, Dana Powers wrote:
<snip>
> What happens is the client browser sees https so it thinks 'Ah, SSL on
> port 443' So it connects to the web server and sets up an SSL
> connection. There is no GET or POST or HTTP at all. This is still the
> SSL stage. The problem is, all the web server knows, and more
> specifically - all mod_ssl knows, is that a connection is coming in on
> IP: X and Port: Y (here 443). So the server needs to find a
> configuration using only the IP address and the Port number. If you use
> NBVH and these virtual hosts do not have unique IP+Port combinations,
> then the web server will not know which one it should use to determine
> which key should be used for encryption/decryption. Typically it will
> just pick the first one it gets to, which means one of the NBVH will be
> fine, but the other will use the wrong key - so most high profile
> clients will throw an error saying that the certificate dns name does
> not match the url dns name. You still get a perfectly good SSL
> connection, its just that the certificate sent out is not the one you
> wanted. The solution is, if you need NBVH for SSL connections, they
> should have unique IP+Port combinations. Your problem below shouldnt be
> a problem, because although you have NBVH, you only have 1 SSL virtual
> host. There should be no problems in that case. (although, it is
> generally a good idea to explicitly state your ip+port for each virtual
> host, or use _default_).
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
