Of all the gin joints in all the towns in all the world, "Chris Allen"
had to walk into mine and say:
>
> Is this something that mod_ssl needs or is this a apache(etc) related
> problem? Is there ever going to be a way to do name based virtual hosting
> with apache and mod_ssl?
It's an HTTP over SSL problem.
The normal HTTP transaction looks something like:
- connect to server
- issue GET request, with Host: header
- web server serves virtual host information based on Host: header
The normal HTTPS transaction looks something like:
- connect (TCP) to server
- perform SSL handshake; server sends server SSL certificate
- perform server certificate verification
- issue get request, with Host: header
Notice the order of operations is backwards; the server issues the SSL
certificate *before* the server receives the Host: header, so it can't
send out *different* SSL certificates.
There are several solutions to this problem:
1) use IP address based virtual hosting. In this case, the SSL server
knows the IP address before sending the SSL request. This is the most
common solution, because it is easy and can be extended to new
virtual hosts easily. The downside is that you need a separate
address per virtual host.
2) use SSL over HTTP (not very well supported at this time).
3) Configure the SSL server to use a single SSL certificate. Put *all*
of the names and addresses of the server into the "subjectAltName"
extension field of the certificate.
Note that this only works well if your set of virtual hosts is small
and unchanging (like mine), or if you have your own CA. This is
because you need to reissue the certificate every time you add (or
remove :-) a virtual host.
--
Harald Koch <[EMAIL PROTECTED]>
"It takes a child to raze a village."
-Michael T. Fry
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
