It's not possible. The problem is that Apache cannot work out what key to use. ie in normal port 80 http the client connects to the webserver and does the following
GET / HTTP/1.1 Host: www.slug.org.au the Host: header tells apache which virtual to use ie via the ServerName and ServerAlias directives. However in an SSL connection all of the above is encrypted which means that apache won't know what virtual it is until it decrypts it. So if it doesn't know what virtual it is then it doesn't know which key to use. What you need to do is assign 1 IP address per SSL virtual. Or if all the virtuals are going to be under the same subdomain you can get a *.domain key and use the same one for each virtuals. I've been thinking of how feasible it would be to write some sort of apache patch that just trys to decrpyt the connection with all the keys untill it gets a valid decryption but I'm sure this wouldn't scale very well :) On Sat, Sep 28, 2002 at 09:50:19AM +1000, Howard Lowndes wrote: > I am trying to run SSL on virtual hosts, but even though I have valid SSL > certificates for the virtual host and they are showing up as being loaded > correctly, the certificate that gets served is that belonging to the > primary, ie, first, virtaul host and not the one related to the VH that I > am currently working with. > > The Apache docs states as below. Does this mean what I am afetr is not > doable or do I have another problem: > > "Why can't I use SSL with name-based/non-IP-based virtual hosts? [L] > > The reason is very technical. Actually it's some sort of a chicken > and egg problem: The SSL protocol layer stays below the > HTTP protocol layer and encapsulates HTTP. When an SSL connection > (HTTPS) is established Apache/mod_ssl has to > negotiate the SSL protocol parameters with the client. For this > mod_ssl has to consult the configuration of the virtual server > (for instance it has to look for the cipher suite, the server > certificate, etc.). But in order to dispatch to the correct virtual > server > Apache has to know the Host HTTP header field. For this the HTTP > request header has to be read. This cannot be done > before the SSL handshake is finished. But the information is already > needed at the SSL handshake phase. Bingo! > " > > -- > Howard. > LANNet Computing Associates - Your Linux people > Contact detail at http://www.lannetlinux.com > "Flatter government, not fatter government." - me > Get rid of the Australian states. > ------------------------------------------ > If electricity comes from electrons, does morality come from morons? > > > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug -- John http://www.inodes.org/ -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
