httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kuba <>
Subject Re: [users@httpd] Name-based SSL virtual hosts
Date Mon, 24 Jan 2011 09:13:58 GMT
Hi Wolfgang,

there is a chicken-and-egg problem with name-based virtual hosts
and SSL. The SSL connection is established *before* HTTP communication,
so the SSL server does not know what Host: HTTP header will be sent
in the moment it decides which SSL server certificate to send.

So for SSL HTTP servers, each server needs its own IP address,
virtual named-based hosts are not possible.

There is  a solution for this problem, it is a change in the SSL protocol
which allows to send host name in the SSL handshake. However it is not
supported by all web browsers.

For details see

In a nutshell, if you want to support MSIE on Windows XP, you cannot use it.

I solve this by using one IP address for all SSL servers with the same DNS domain owner,
and a SSL server certificate that has all the server names as subjectAltNames.
That works for all browsers, but it is some hassle to create a new certificate
for all names each time a new SSL server is added.



Dne 21.1.2011 22:18, napsal(a):
> Hi,
> I am not too familiar with Apache, so the following message has stumped me.
> [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name
indication support (RFC 4366)
> Can somebody explain what that means and what are the consequences?
> Thanks so much!
> Wolfgang

Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email:
Masaryk University   
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775

View raw message