Everytime someone posts a "can I do name-based virtual hosting with SSL"
request, I'm inclined to suspect a troll because of the number of replies it
gets. :-) However, I have to make a comment because invariably many of the
replies say something that isn't actually true ...
On Tue, 17 Apr 2001, Rudi Heitbaum wrote:
> Nope, it does not because the SSL session is established before
> the http call. Thus you can only bind 1 certificate to an IP
> address. This is a faq by the way.
Wrong, you can only bind 1 certificate to an IP/port address pair. You can run a
tonne of HTTPS hosts on the same IP address if you are prepared to use ports
other than 443. Of course, the decision as to whether you can do that will
depend on your circumstances (eg. if you want to work through firewalls that may
strip everything except ports 80 and 443), but it is not true to flat-out state
that you get only 1 host per IP address.
The reason for all this is simply that a received connection must perform
SSL/TLS handshaking prior to being able to determine the nature of the embedded
(encrypted) request, and thus prior to knowing which name-based host the user
wanted. There are alternatives[1] that get round this, but until browsers start
supporting them, they're little more than theoretical niceties. So name-based
virtual hosting is not possible - this does not mean however that you get only
one SSL host per IP address, because you can bind distinct listening sockets on
the same IP address but with different ports and that gives you all the room to
move you need to run distinct SSL/TLS configurations.
Cheers,
Geoff
[1] These alternatives typically suggest a clear-text header prior to SSL/TLS
handshaking that can give the server a clue as to which identity (name-based
host) it should operate as - ie. when the SSL/TLS handshake starts, it will know
which certificate(s) to operate with. Until then, we have only HTTPS that
requires that the SSL/TLS setup take place before we know anything about the
underlying request.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
