Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

Mon, 13 Jan 2003 20:15:47 -0800 

Are there any docs for setting this up?

thanks
Robert
----- Original Message ----- 
From: "James Collier" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 13, 2003 12:29 PM
Subject: Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 
Certificates)


> Many thanks Owen - I'll sleep more easily now ;)
> 
> Boyle Owen wrote:
> >>-----Original Message-----
> >>From: James Collier [mailto:[EMAIL PROTECTED]]
> >>
> >>At the moment, the handshake take place using the first matching vhost 
> >>on the basis of IP+Port, but evidently Apache then scans the decrypted 
> >>host header and assigns the correct NBVH. 
> > 
> > 
> > Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used 
>initially to deliver a certificate to the SSL Engine. As you rightly say, given only 
>an IP address and port number, it simply responds with the first cert it finds in a 
>matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the 
>browser - thereafter, the requests are decrypted and passed "en clair" to the apache 
>core. So now apache can apply its NBVH algorithm happily. 
> > 
> > 
> >>This is using 1.3.x; I haven't tested 2.x yet.
> > 
> > 
> > It will be the same. This is a feature of the HTTPS layer and is unaffected by 
>what happens in the apache core, which is under HTTPS.
> > 
> > 
> >>My fear is that future apache+modssl code may lock-in the first NBVH 
> >>that matches on the basis of IP+Port, which would break my scheme.
> > 
> > 
> > Not likely. Each request is allowed to contain its own "Host" header. So there is 
>no reason why the server should override it. In any case, there is no mechanism for 
>the server to "remember" that subsequent requests from a particular client were 
>originally served from a certain VH. HTTPS is an additional onion-layer which 
>entirely encapsulates HTTP so there should be no spillover from one to the other.
> > 
> > Rgds,
> > 
> > Owen Boyle
> > 
> > 
> >>  Regards,
> >>     James.
> >>
> >>PS For those of you who were wondering, we use a private CA to 
> >>issue the 
> >>wildcard server cert.  As someone has already noted, Thawte advertise 
> >>them as well.
> >>
> >>Boyle Owen wrote:
> >>
> >>>>-----Original Message-----
> >>>>From: James Collier [mailto:[EMAIL PROTECTED]]
> >>>>
> >>>>I realise I am on thin ice as it would be a "reasonable" 
> >>>>optimisation to assign the final virtual host at an earlier 
> >>>>stage than is currently the case with SSL.
> >>>
> >>                                        ^^^
> >>                            I meant "apache+modssl"
> >>
> >>>
> >>>I wouldn't worry too much. Currently, in an SSL transaction, *all*
> >>>information is regarded as requiring encryption - including the Host
> >>>header in the original request. So the SSL session has to be 
> >>
> >>established
> >>
> >>>before any traffic takes place. Anything different (e.g. putting the
> >>>host header in the SSL layer) would be a major revision of 
> >>
> >>the protocol.
> >>
> >>>One of two things will happen first:
> >>>
> >>>- IPv6 will take off, creating so many IP addresses that NBVH will be
> >>>unnecessary and we will revert to one site, one IP.
> >>>- A new SSL-like protocol will appear which promotes the site name to
> >>>the SSL layer thus enabling NBVH.
> >>>
> >>>Either way, you'll need substantially to upgrade and reconfigure your
> >>>server so you'll be well aware of the changes.
> >>>
> >>>Rgds,
> >>>
> >>>Owen Boyle
> >>>
> >>>This message is for the named person's use only. It may contain
> >>>confidential, proprietary or legally privileged information. No
> >>>confidentiality or privilege is waived or lost by any 
> >>
> >>mistransmission.
> >>
> >>>If you receive this message in error, please notify the 
> >>
> >>sender urgently
> >>
> >>>and then immediately delete the message and any copies of it 
> >>
> >>from your
> > 
> >>>system. Please also immediately destroy any hardcopies of 
> >>
> >>the message.
> >>
> >>>You must not, directly or indirectly, use, disclose, 
> >>
> >>distribute, print,
> >>
> >>>or copy any part of this message if you are not the intended 
> >>
> >>recipient.
> >>
> >>>The sender's company reserves the right to monitor all e-mail
> >>>communications through their networks. Any views expressed in this
> >>>message are those of the individual sender, except where the message
> >>>states otherwise and the sender is authorised to state them to be the
> >>>views of the sender's company. 
> >>>
> >>
> >>______________________________________________________________________
> >>
> >>>Apache Interface to OpenSSL (mod_ssl)                   
> >>
> > www.modssl.org
> > 
> >>User Support Mailing List                      [EMAIL PROTECTED]
> >>Automated List Manager                            [EMAIL PROTECTED]
> > 
> > 
> > 
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> > User Support Mailing List                      [EMAIL PROTECTED]
> > Automated List Manager                            [EMAIL PROTECTED]
> > ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> > User Support Mailing List                      [EMAIL PROTECTED]
> > Automated List Manager                            [EMAIL PROTECTED]
> 
> 
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            
>[EMAIL PROTECTED]����'���iǭ��^�$���l�\0�j��h�,z����+�Ƣ�)�.+-��l�[�z�&��,����h��^t���Ƨj�����&�j��h�

Reply via email to