httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <>
Subject Re: [users@httpd] Name-based SSL virtual hosts
Date Mon, 24 Jan 2011 11:02:42 GMT
On Mon, Jan 24, 2011 at 9:13 AM, Martin Kuba <> wrote:
> Hi Wolfgang,
> there is a chicken-and-egg problem with name-based virtual hosts
> and SSL. The SSL connection is established *before* HTTP communication,
> so the SSL server does not know what Host: HTTP header will be sent
> in the moment it decides which SSL server certificate to send.
> So for SSL HTTP servers, each server needs its own IP address,
> virtual named-based hosts are not possible.
> There is  a solution for this problem, it is a change in the SSL protocol
> which allows to send host name in the SSL handshake. However it is not
> supported by all web browsers.
> For details see
> In a nutshell, if you want to support MSIE on Windows XP, you cannot use it.
> I solve this by using one IP address for all SSL servers with the same DNS
> domain owner,
> and a SSL server certificate that has all the server names as
> subjectAltNames.
> That works for all browsers, but it is some hassle to create a new
> certificate
> for all names each time a new SSL server is added.
> Cheers
> Martin

I do a similar thing, except I now always get wildcard certificates,
eg for * Then, I can host all subdomains from
one IP on SSL, no SNI support required neither in browser nor server.
Wildcard certs can be a little bit more expensive..



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message