With IPv4 address scarcity, most web servers have multiple hosts supported using a single IP address, adding a Host: header to each request header, and using SSL Server Name Indication (SNI) for SSL that needs to know the host before a request is received.
The ICS web server has always supported the Host: header, which can be checked in the BeforeProcessRequest event as MyClient.RequestHostName, while SNI can be checked in the SslServerName event as MyClient.SslServerName. But currently this is not done automatically, applications are responsible for adding code to check the host and changing the server directories so pages for the correct host are served, and the correct SSL context is selected with a matching SSL certificate. I did this recently for my public web server that uses ICS, the server status page shows the four public hosts supported: https://www.telecom-tariffs.co.uk/serverinfo.htm It also reports the certificate chains using the new ValidateCertChain function in V8.41. I created an array of records: TSiteHost = record shHostName: string ; shHostAliass: StringArray ; shHostAliasTot: integer ; shDesc: string ; shBindings: StringArray ; shBindingTot: integer ; shDocDir: string ; shTemplateDir: string ; shDefaultDoc: string ; shSslAllowed: boolean ; shSslCertFileName: string ; shSslPrivKeyFileName: string ; shSslCAFileName: string ; shSslPassPhrase: string ; shSslSecLevel: integer ; shWebLogDir: string ; shSslCtx: TSslContext ; shSslOK: boolean ; shDomains: string ; shCertInfo: string ; shCiphers: string ; shCertExiry: TDateTime ; end; TSiteHosts = array of TSiteHost; which includes all the different information needed for each host site, including the SSL context, which is loaded from settings. I added code to the SslServerName and BeforeProcessRequest events that check for the host (or host alias) and change the context and site root directories appropriately. I'm sure others have added something similar to their web server applications. But should we now add proper host site support to the web server component itself, so these settings can be made at design time if necessary, with simplified application code? As an aside, I used this to test ECC certificates and ciphers, you'll notice that www2.telecom-tariffs.co.uk uses an ECDSA key instead of RSA, with a different intermediate chain, and SSL connects with cipher ECDHE-ECDSA-AES128-GCM-SHA256 instead of cipher ECDHE-RSA-AES128-GCM-SHA256. ECC keys are much shorter than RSA keys, which means less traffic sending then when SSL connects. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be