On Tue, 3 Dec 2002, Dave Paris wrote: > Not only is it not possible
With the current state of the SSL protocol such as it is, this is correct-- it's not possible. > it'd be a HUGE security flaw if it WERE possible. Well, not necessarily... all that you would need is for the client to tell the server which host it *thought* it was contacting, and then the server would know which vhost to serve the request with and therefore which certificate to present. That would require the SSL protocol to have the equivalent of HTTP's Host: header. From there, as long as the certificate can be verified as authentic, there's no more risk than there would be if there was a one-to-one mapping between IP and hostname as the current SSL protocol requires. But please, people, this is SUCH a frequently asked question. Definitely one of the top three. I wonder if we can't find a better way to document this? Anyone have any ideas? I'd say un-hiding it from the FAQ page would be a good start... it's a prominent question, give the answer a more prominent location. --Cliff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
