Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with2 Certificates)

[James Collier]

[EMAIL PROTECTED] wrote:

Are there any docs for setting this up?

Not as such - I cooked the site up as a one-off, with the feeling that much of it came under the dirty hack classification (particularly as almost every mod-ssl document contains wording to the effect of "Don't ever ever ever under any circumstances try to use NBVHs with mod-ssl")

There's nothing particularly innovative or devious here - and I'm in the rare position of working with a smallish closed user group whose members are willing and competent to do some basic browser certificate management.

But I suppose if people feel this set-up is legitimate, useful and non-trivial I ought to make time to write up a quick How-to and/or an expurgated config file. Is there a suitable Apache cookbook where such recipes are collected?

Regards,
James.

thanks
Robert
----- Original Message ----- From: "James Collier" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 13, 2003 12:29 PM
Subject: Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)

Many thanks Owen - I'll sleep more easily now ;)

Boyle Owen wrote:

-----Original Message-----
From: James Collier [mailto:[EMAIL PROTECTED]]

At the moment, the handshake take place using the first matching vhost on the basis of IP+Port, but evidently Apache then scans the decrypted host header and assigns the correct NBVH.

Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used initially to deliver a certificate to the SSL Engine. As you rightly say, given only an IP address and port number, it simply responds with the first cert it finds in a matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the browser - thereafter, the requests are decrypted and passed "en clair" to the apache core. So now apache can apply its NBVH algorithm happily.

This is using 1.3.x; I haven't tested 2.x yet.

It will be the same. This is a feature of the HTTPS layer and is unaffected by what happens in the apache core, which is under HTTPS.

My fear is that future apache+modssl code may lock-in the first NBVH that matches on the basis of IP+Port, which would break my scheme.

Not likely. Each request is allowed to contain its own "Host" header. So there is no reason why the server should override it. In any case, there is no mechanism for the server to "remember" that subsequent requests from a particular client were originally served from a certain VH. HTTPS is an additional onion-layer which entirely encapsulates HTTP so there should be no spillover from one to the other.

Rgds,

Owen Boyle

Regards,
James.

PS For those of you who were wondering, we use a private CA to issue the wildcard server cert. As someone has already noted, Thawte advertise them as well.

Boyle Owen wrote:

-----Original Message-----
From: James Collier [mailto:[EMAIL PROTECTED]]

I realise I am on thin ice as it would be a "reasonable" optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL.

                                      ^^^
                          I meant "apache+modssl"

I wouldn't worry too much. Currently, in an SSL transaction, *all*
information is regarded as requiring encryption - including the Host
header in the original request. So the SSL session has to be

established

before any traffic takes place. Anything different (e.g. putting the
host header in the SSL layer) would be a major revision of

the protocol.

One of two things will happen first:

- IPv6 will take off, creating so many IP addresses that NBVH will be
unnecessary and we will revert to one site, one IP.
- A new SSL-like protocol will appear which promotes the site name to
the SSL layer thus enabling NBVH.

Either way, you'll need substantially to upgrade and reconfigure your
server so you'll be well aware of the changes.

Rgds,

Owen Boyle

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any

mistransmission.

If you receive this message in error, please notify the

sender urgently

and then immediately delete the message and any copies of it

from your

system. Please also immediately destroy any hardcopies of

the message.

You must not, directly or indirectly, use, disclose,

distribute, print,

or copy any part of this message if you are not the intended

recipient.

The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.

______________________________________________________________________

Apache Interface to OpenSSL (mod_ssl)

www.modssl.org

User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]����'���iǭ �^�$���l�\0�j��h�,z����+�Ƣ�)�.+-��l�[�z�&��,����h��^t���Ƨj�����&�j��h

rg==

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]