Are Hoel wrote:
> >That's the chicken and egg problem, you need a different IP
> >for each SSL-based VirtualHost:
> >http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> I have actually managed to get this working with only one IP :)
That depends what you mean by "working"... What is happening with your
set-up is the following:
- HTTPS request comes in on port 443.
- server needs a certificate to begin SSL-negotiation so takes the cert
from the *first* VH on port 443.
- SSL connection is established, symmetric session-keys are exchanged.
- Now the server looks into the request and reads the "Host:"
definition.
- Using it's amazing NBVH powers, the server now gets the content from
the desired VH.
What's wrong with this?
If the *first* SSL-VH is called "www.banana.com" and the requested host
is "www.kiwi.com" then your browser will be a bit worried that the name
in the certificate (banana) didn't match the site requested (kiwi). You
will, at least, get a pop-up alert.
You have to ask yourself why you are using SSL in the first place. If
you just want to see the little padlock click shut in your browser then
you're probably happy. But if you are serious about protecting the data
stream between the client and server, this approach will NOT work.
Authentication is an essential component of SSL. Encryption without
authentication just means you have a secure channel to an insecure
destination - i.e. you could be sending your credit card number,
perfectly encrypted, to a crook...
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
