>
> The company I currently host through has SSL for each of the virtual
hosts.
> There have thousands of accounts, hard to beleive they would have a
> certificate for each virtual domain.
Yes, they must have separate certificates for each domain. That'll be why
when you sign up for SSL hosting with them they'll charge you for a
certificate and ask you for all sorts of identification (or ask you to do
that direct with the certification authority).
Why would they not have a certificate for each domain?
>
> Would one certificate work if the virtual hosts were IP-Based with (ip
> aliases) virtual ip?
> ( I beleive that is the term for using one IP to serve many. I'm still
very
> new to linux)
>
Using one IP to serve many is "name-based" virtual hosting. Using many IPs
to serve many is "IP-based" virtual hosting. If you only have one IP then
it's called name-based because you have to make the distinction between
virtual hosts by looking at the domain name. Each of the possible domain
names will resolve (be pointed) to the same one IP address. If you have many
IPs then you call it IP-based virtual hosting because you make the
distinction between different virtual hosts just by checking the destination
IP address.
You can do IP-based virtual hosting with any protocol, just by looking at
the TCP packets. However, to do name-based virtual hosting the client has to
tell the server which domain name it is using. The problem is, with TCP, the
client looks up the domain name and communicates with the server using its
IP address. The server has no idea what domain name the client looked up to
get the server's IP address (analogy: if someone phones you up, you don't
know how they found your phone number). But if the client says "I used xyz
domain name" then the server can adjust its response accordingly (analogy:
the person on the phone can say how they found your number).
In HTTP, the client tells the server what domain name it's using by sending
the "Host" header. E.g. "Host: xyz.abc.com". The server then knows it should
be using the xyz.abc.com virtual host.
This doesn't work with SSL, because before any HTTP headers are sent, the
SSL handshake has to occur. In order for this to happen, the server has to
know which certificate and key to use (otherwise a secure connection cannot
be established). In order to know which cert to use, it has to know which
virtual host to use. If you're using IP-based virtual hosting, it can just
look at the TCP packets and see which IP address they're using (analogy: if
you have multiple phone lines, and one phone rings, then you know which
number the person dialled because you know the phone number associated with
each line). So IP-based SSL virtual hosting is no problem. However, with
name-based virtual hosting the Host header isn't sent until after the SSL
handshake -- thus the server doesn't know which certificate to use for the
handshake, so it uses the default server instead of the virtual host.
Cheers,
Simon Garner
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
