At 11:35 PM 4/6/2002, you wrote: >I know that the docs say it's not possible, but is it theoretically >possible? It would be really nice to have this feature.
Obverse... it's physically possible. It isn't theoretically possible. Client request: open SSL connection to server [no headers sent] Server response: negotate SSL Session with a key, based on no information other than the client ip/port or server listener. Client response: complete SSL negotiation. Then the client sends the headers; Host: hostname... but we already negotiated the key of the wrong vhost. RFC2817 "Upgrading to TLS Within HTTP/1.1" proposes the client sends a plain text request with headers, requesting the server upgrade to a TLS connection for a specific host. But no browser or server that I'm aware of actually implements this new mechanism. Yes - it would be terrific if Apache was the first implementation, but we still need client support to have any impact. So really, no, named virtual hosts today cannot be used with SSL. The directives all work, but the key sent is based on the physical port and/or the default vhost, not the Host: header. Sorry. Bill
