Re: Apache SSL named based virtual hosts
Bob Proulx: Jochen Schulz wrote: Modern browsers appear to support that TLS extension: https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication#Browser\ s I will implement this in a test installation and get some experience with this feature. The future looks brighter! The funny thing is that this new standard gets adopted at the time where many ISPs seriously start thinking about IPv6 where address shortage is not an issue anymore. ;-) When using this, you run into problems with IE7, though… Personally, I have never seen this in production. Let me vilify MSIE 6 and say that it needs to die. Its use is damaging to the community. Sure, and I agree with the rest of what you said. But beware: the Wikipedia link suggests that SNI isn't supported at all for IE on Windows XP. J. -- Driving behind lorries carrying hazardous chemicals makes me wish for a simpler life. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Apache SSL named based virtual hosts
In another thread: Boyd Stephen Smith Jr. wrote: ... Apache (from upstream) has supported it for a while and I've had it in production (system based on Ubuntu Maverick) for a number of months. Re: NameVirtualHost *:443 This is good to hear but if so then how do they pull that off? I thought for https that the certificate negotiation was tied to the IP address? No? Is there a way to have all of the browsers use starttls for https and to be able to share virtual hosts with SSL on a single IP address? That would be awesome! Where can I read about it? It is a feature that I have wanted for a very long time. Bob signature.asc Description: Digital signature
Re: Apache SSL named based virtual hosts
On Mon, Jan 24, 2011 at 01:23:35PM -0700, Bob Proulx wrote: In another thread: Boyd Stephen Smith Jr. wrote: Is there a way to have all of the browsers use starttls for https ... and to be able to share virtual hosts with SSL on a single IP address? That would be awesome! Where can I read about it? It is a feature that I have wanted for a very long time. When I need to do this, mostly for testing purposes, I create another ssl-enabled vhost on a different port (same IP), and ensure the CN in the server cert includes the port, IIRC, httpd didn't like not doing so. But this is not for named vhosting, but for IP-based vhosting. HTH. -- Huella de clave primaria: 0FDA C36F F110 54F4 D42B D0EB 617D 396C 448B 31EB signature.asc Description: Digital signature
Re: Apache SSL named based virtual hosts
In 20110124202335.ga5...@hysteria.proulx.com, Bob Proulx wrote: In another thread: Boyd Stephen Smith Jr. wrote: ... Apache (from upstream) has supported it for a while and I've had it in production (system based on Ubuntu Maverick) for a number of months. Re: NameVirtualHost *:443 This is good to hear but if so then how do they pull that off? I thought for https that the certificate negotiation was tied to the IP address? No? Is there a way to have all of the browsers use starttls for https and to be able to share virtual hosts with SSL on a single IP address? That would be awesome! Where can I read about it? It is a feature that I have wanted for a very long time. http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI I believe Lenny does actually have a recent enough version of both apache2 and libssl0.9.8, but I've not tried using SNI with Lenny's version of Apache. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Apache SSL named based virtual hosts
Bob Proulx: Boyd Stephen Smith Jr. wrote: ... Apache (from upstream) has supported it for a while and I've had it in production (system based on Ubuntu Maverick) for a number of months. Re: NameVirtualHost *:443 This is good to hear but if so then how do they pull that off? I thought for https that the certificate negotiation was tied to the IP address? No? The problem is/was that the TLS handshake was initiated before the HTTP request was sent. Since only the request included the Host-Header, the web server couldn't show a certificate for the requested domain name. A better explanation can be found here: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts In order to fix this problem, the TLS protocol had to be extended: http://www.ietf.org/rfc/rfc3546.txt I only read the introduction, but it appears that the client may now simply send the relevant hostname before the server presents its certificate. Modern browsers appear to support that TLS extension: https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication#Browsers When using this, you run into problems with IE7, though… Personally, I have never seen this in production. J. -- I wear a lot of leather but would never wear fur. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: Apache SSL named based virtual hosts
In 201101241443.22084@iguanasuicide.net, Boyd Stephen Smith Jr. wrote: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI I believe Lenny does actually have a recent enough version of both apache2 and libssl0.9.8, but I've not tried using SNI with Lenny's version of Apache. (Correcting myself) Unless the feature was backported to Lenny (unlikely), then Lenny's apache2 is not new enough to support SNI. You need at least Apache 2.2.12. A quick review of /usr/share/doc/apache2.2-common/changelog{.Debian,}.gz does not indicate SNI was backported to Lenny. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Apache SSL named based virtual hosts
Jochen Schulz wrote: The problem is/was that the TLS handshake was initiated before the HTTP request was sent. Since only the request included the Host-Header, the web server couldn't show a certificate for the requested domain name. A better explanation can be found here: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts Right. That has been the limitation for a long time. Being well aware of that limitation was why I was asking about this when I heard otherwise. Boyd Stephen Smith Jr. wrote: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI Jochen Schulz wrote: In order to fix this problem, the TLS protocol had to be extended: http://www.ietf.org/rfc/rfc3546.txt I only read the introduction, but it appears that the client may now simply send the relevant hostname before the server presents its certificate. I have been waiting for just such a feature to appear! All very interesting references. Thanks both of you for sharing those them. Modern browsers appear to support that TLS extension: https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication#Browser\ s I will implement this in a test installation and get some experience with this feature. The future looks brighter! When using this, you run into problems with IE7, though… Personally, I have never seen this in production. Let me vilify MSIE 6 and say that it needs to die. Its use is damaging to the community. Unfortunately I still need to deal with MSIE 6 and can't ignore it. I have a client who provides management training classes and looking just now I see that 28% of his paying customers in the last six months used MSIE 6. Most of those are from corporate accounts where a large bureaucratic IT department controls everything with an iron fist. In this economy it isn't a good idea to walk away from the money of a paying customer. And so I am still dealing with MSIE 6. But of course that is just one situation. For other situations things will go the other way. I have one site in particular where this isn't a limitation and could really benefit from this feature. I will try it out there and I am confident there won't be any issues with it. If more sites implemented SNI and prevented MSIE6 from functioning then it would cause greater pressure for those users to move forward to another browser. In that spirit I think everyone should implement it! If everyone did then the MSIE6 problem would be forced to be resolved very quickly. Bob signature.asc Description: Digital signature