Hey all,

Just wanted to let you know what I find out about this and how I solved the problem.


First, name based SSL is, as one person told me, only good for one IP address in an Apache installation. I'll let Apache explain it themselves because they are better at it than I am.

"The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified."

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

So the solution is that each host name has to have its own IP address if you're going to do both port 80 for HTTP and port 443 for HTTPS.

You can assign different ports for your different SSL host names, but that can get messy, and because these are paying customers for an account on our system it was a no brainer to go with separate IPs per host name.

So my process now is to leave them on the shared virtual host name configuration until they require SSL, which our clients only do when they start processing credit card transactions, and once they do that they get their own IP and we configure them accordingly.

So I hope this little nugget helps anyone who comes across this same issue. And incidentally, if you need to configure IP-based SSL on FreeBSD I'm you're guy; I'm now a whiz at it :)

Skip

====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
 -- Kurt Vonnegut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to