Boyle Owen wrote:
- You're right that since apache can't see the host header, it uses the cert
from the default VH to establish the SSL session. Thereafter, it *can* see the
host header and so can route the requests successfully. This give a lot of
people the illusion that SSL-NBVH is possible. The big problem is that you
don't get authentication because the default cert, generally, will not match
the requested site. For professional SSL, authentication is every bit as
essential as encryption so this won't do.
We use a "wildcard cert" to overcome this situation... the technical
limitation is that all the SSL "hosts" have to end with the same domain
(a wildcard cert is bound to our domain, not any individual host name),
but otherwise we can and do indeed run hundreds (soon to be thousands)
of customers on their own individual host names under SSL, all on port
443 on one instance of apache. Unfortunately we have to do funny
mod_rewrite trickery to simulate NBVH instead of using real NBVH.... I
suspect it would be a major change in Apache architecture to use real
NBVH in our case (but otherwise, yes, it absolutely could be technically
possible, given the all-must-be-in-the-same-domain, and must use a
"wildcard cert" limitations).
Dave
