>-----Original Message----- >From: Charles B Cranston [mailto:[EMAIL PROTECTED]] >Sent: Mittwoch, 8. Januar 2003 21:53 >To: [EMAIL PROTECTED] >Subject: Re: Signing certificates on Windows > > >> Franck Martin wrote: >> You can't use virtual hosts on apache with https. >> Each host must have its own IP address, that's what I learnt >from the doc... >> May be it is fixed somehow... > >The reason is that the security is negotiated before even one byte >is sent down the channel, and the server has no way of knowing >WHICH of the various virtual hosts you want to talk to until it has >read the incoming HTTP header, which it cannot do until the >security has been negotiated. > >One might think the server would have a single certificate that it >uses before trying to find out the desired virtual host name. >However, it turns out it has to know WHICH virtual host name is >wanted to select WHICH certificate to use! Chicken and egg. > >There might be a solution with a single certificate that has all >the virtual host names as subjectAltNames but I'm too much in >alligator mode to look at such swamps...
The important thing is that SSL is as much about authentication as it is about encryption. If all we were concerned about was encryption, then you would just have a certificate bound to the server's IP address, and the SSL channel could be established without bothering about which VH to use. Then, NBVH would work with encryption-only SSL. However, it is also vital to *authenticate* the server. That is, the URL the user types into the browser must match the Common Name in the certificate (remember that in a real certificate, the Common Name is guaranteed to belong to the server by the certificate signing authority - not just anyone can get a certificate for www.amazon.com, for instance). This is why the certificate must be defined at a VH level and not server-wide. Encryption is like sending your money to the bank in an armoured car. Authentication is making sure that the armoured car really does go to the bank. Rgds, Owen Boyle > >-- > >Charles B. (Ben) Cranston >mailto:[EMAIL PROTECTED] >http://www.wam.umd.edu/~zben >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
