httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kuba <ma...@ics.muni.cz>
Subject Re: [users@httpd] Name-based SSL virtual hosts
Date Mon, 24 Jan 2011 09:13:58 GMT
Hi Wolfgang,

there is a chicken-and-egg problem with name-based virtual hosts
and SSL. The SSL connection is established *before* HTTP communication,
so the SSL server does not know what Host: HTTP header will be sent
in the moment it decides which SSL server certificate to send.

So for SSL HTTP servers, each server needs its own IP address,
virtual named-based hosts are not possible.

There is  a solution for this problem, it is a change in the SSL protocol
which allows to send host name in the SSL handshake. However it is not
supported by all web browsers.

For details see
http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix

In a nutshell, if you want to support MSIE on Windows XP, you cannot use it.

I solve this by using one IP address for all SSL servers with the same DNS domain owner,
and a SSL server certificate that has all the server names as subjectAltNames.
That works for all browsers, but it is some hassle to create a new certificate
for all names each time a new SSL server is added.

Cheers

Martin

Dne 21.1.2011 22:18, Wolfgang.Miska@geigerus.com napsal(a):
> Hi,
>
> I am not too familiar with Apache, so the following message has stumped me.
>
> [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name
indication support (RFC 4366)
>
> Can somebody explain what that means and what are the consequences?
>
> Thanks so much!
>
>
> Wolfgang


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email: makub@ics.muni.cz
Masaryk University             http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
--------------------------------------------------------------


Mime
View raw message