httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n.@apache.org
Subject cvs commit: httpd-2.0/docs/manual/ssl ssl_faq.html.en ssl_faq.xml
Date Sun, 05 Jan 2003 04:11:10 GMT
nd          2003/01/04 20:11:10

  Modified:    docs/manual/ssl Tag: APACHE_2_0_BRANCH ssl_faq.html.en
                        ssl_faq.xml
  Log:
  backport of ssl_faq changes
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.5.2.3   +37 -11    httpd-2.0/docs/manual/ssl/ssl_faq.html.en
  
  Index: ssl_faq.html.en
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/ssl/ssl_faq.html.en,v
  retrieving revision 1.5.2.2
  retrieving revision 1.5.2.3
  diff -u -r1.5.2.2 -r1.5.2.3
  --- ssl_faq.html.en	23 Dec 2002 16:43:42 -0000	1.5.2.2
  +++ ssl_faq.html.en	5 Jan 2003 04:11:09 -0000	1.5.2.3
  @@ -147,7 +147,6 @@
   <li><a href="#coredump">Core dumps for HTTPS requests?</a></li>
   <li><a href="#mutex">Permission problem on SSLMutex</a></li>
   <li><a href="#mm">Shared memory and process size?</a></li>
  -<li><a href="#mmpath">Shared memory and pathname?</a></li>
   <li><a href="#entropy">PRNG and not enough entropy?</a></li>
   </ul>
   
  @@ -186,16 +185,6 @@
       instance and not once per Apache server process.</p>
   
   
  -<h3><a name="mmpath" id="mmpath">Apache creates files in a directory declared
by the internal
  -EAPI_MM_CORE_PATH define. Is there a way to override the path using a
  -configuration directive?</a></h3>
  -<p>No, there is not configuration directive, because for technical
  -    bootstrapping reasons, a directive not possible at all. Instead
  -    use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
  -    ./configure ...</code>'' when building Apache or use option
  -    <code>-d</code> when starting <code>httpd</code>.</p>
  -
  -
   <h3><a name="entropy" id="entropy">When I fire up the server, mod_ssl stops
with the error
   "Failed to generate temporary 512 bit RSA private key", why?</a></h3>
   <p>Cryptographic software needs a source of unpredictable data
  @@ -687,6 +676,8 @@
   <li><a href="#adh">How to use Anonymous-DH ciphers</a></li>
   <li><a href="#sharedciphers">Why do I get 'no shared ciphers'?</a></li>
   <li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
  +<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
  +Hosting to identify different SSL virtual hosts?</a></li>
   <li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
   <li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
   <li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
  @@ -774,6 +765,41 @@
       HTTP request header has to be read. This cannot be done before the SSL
       handshake is finished. But the information is already needed at the SSL
       handshake phase. Bingo!</p>
  +
  +
  +<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based
  +Virtual Hosting to identify different SSL virtual hosts?</a></h3>
  +    <p>Name-Based Virtual Hosting is a very popular method of identifying
  +    different virtual hosts. It allows you to use the same IP address and
  +    the same port number for many different sites. When people move on to
  +    SSL, it seems natural to assume that the same method can be used to have
  +    lots of different SSL virtual hosts on the same server.</p>
  +
  +    <p>It comes as rather a shock to learn that it is impossible.</p> 
  +
  +    <p>The reason is that the SSL protocol is a separate layer which
  +    encapsulates the HTTP protocol. So the problem is that the SSL session
  +    is a separate transaction that takes place before the HTTP session even
  +    starts. Therefore all the server receives is an SSL request on IP
  +    address X and port Y (usually 443). Since the SSL request does not
  +    contain any Host: field, the server has no way to decide which SSL
  +    virtual host to use. Usually, it will just use the first one it finds
  +    that matches the port and IP address.</p> 
  +
  +    <p>You can, of course, use Name-Based Virtual Hosting to identify many
  +    non-SSL virtual hosts (all on port 80, for example) and then you can
  +    have no more than 1 SSL virtual host (on port 443). But if you do this,
  +    you must make sure to put the non-SSL port number on the NameVirtualHost
  +    directive, e.g.</p> 
  +
  +    <div class="example"><p><code>
  +      NameVirtualHost 192.168.1.1:80
  +    </code></p></div>
  +    
  +    <p>Other workaround solutions are: </p>
  +
  +    <p>Use separate IP addresses for different SSL hosts. 
  +    Use different port numbers for different SSL hosts.</p> 
   
   
   <h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS
the lock icon in Netscape browsers
  
  
  
  1.5.2.2   +37 -11    httpd-2.0/docs/manual/ssl/ssl_faq.xml
  
  Index: ssl_faq.xml
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/docs/manual/ssl/ssl_faq.xml,v
  retrieving revision 1.5.2.1
  retrieving revision 1.5.2.2
  diff -u -r1.5.2.1 -r1.5.2.2
  --- ssl_faq.xml	23 Dec 2002 16:43:42 -0000	1.5.2.1
  +++ ssl_faq.xml	5 Jan 2003 04:11:10 -0000	1.5.2.2
  @@ -139,7 +139,6 @@
   <li><a href="#coredump">Core dumps for HTTPS requests?</a></li>
   <li><a href="#mutex">Permission problem on SSLMutex</a></li>
   <li><a href="#mm">Shared memory and process size?</a></li>
  -<li><a href="#mmpath">Shared memory and pathname?</a></li>
   <li><a href="#entropy">PRNG and not enough entropy?</a></li>
   </ul>
   
  @@ -178,16 +177,6 @@
       instance and not once per Apache server process.</p>
   </section>
   
  -<section id="mmpath"><title>Apache creates files in a directory declared by
the internal
  -EAPI_MM_CORE_PATH define. Is there a way to override the path using a
  -configuration directive?</title>
  -<p>No, there is not configuration directive, because for technical
  -    bootstrapping reasons, a directive not possible at all. Instead
  -    use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
  -    ./configure ...</code>'' when building Apache or use option
  -    <code>-d</code> when starting <code>httpd</code>.</p>
  -</section>
  -
   <section id="entropy"><title>When I fire up the server, mod_ssl stops with
the error
   "Failed to generate temporary 512 bit RSA private key", why?</title>
   <p>Cryptographic software needs a source of unpredictable data
  @@ -683,6 +672,8 @@
   <li><a href="#adh">How to use Anonymous-DH ciphers</a></li>
   <li><a href="#sharedciphers">Why do I get 'no shared ciphers'?</a></li>
   <li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
  +<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
  +Hosting to identify different SSL virtual hosts?</a></li>
   <li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
   <li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
   <li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
  @@ -770,6 +761,41 @@
       HTTP request header has to be read. This cannot be done before the SSL
       handshake is finished. But the information is already needed at the SSL
       handshake phase. Bingo!</p>
  +</section>
  +
  +<section id="vhosts2"><title>Why is it not possible to use Name-Based
  +Virtual Hosting to identify different SSL virtual hosts?</title>
  +    <p>Name-Based Virtual Hosting is a very popular method of identifying
  +    different virtual hosts. It allows you to use the same IP address and
  +    the same port number for many different sites. When people move on to
  +    SSL, it seems natural to assume that the same method can be used to have
  +    lots of different SSL virtual hosts on the same server.</p>
  +
  +    <p>It comes as rather a shock to learn that it is impossible.</p> 
  +
  +    <p>The reason is that the SSL protocol is a separate layer which
  +    encapsulates the HTTP protocol. So the problem is that the SSL session
  +    is a separate transaction that takes place before the HTTP session even
  +    starts. Therefore all the server receives is an SSL request on IP
  +    address X and port Y (usually 443). Since the SSL request does not
  +    contain any Host: field, the server has no way to decide which SSL
  +    virtual host to use. Usually, it will just use the first one it finds
  +    that matches the port and IP address.</p> 
  +
  +    <p>You can, of course, use Name-Based Virtual Hosting to identify many
  +    non-SSL virtual hosts (all on port 80, for example) and then you can
  +    have no more than 1 SSL virtual host (on port 443). But if you do this,
  +    you must make sure to put the non-SSL port number on the NameVirtualHost
  +    directive, e.g.</p> 
  +
  +    <example>
  +      NameVirtualHost 192.168.1.1:80
  +    </example>
  +    
  +    <p>Other workaround solutions are: </p>
  +
  +    <p>Use separate IP addresses for different SSL hosts. 
  +    Use different port numbers for different SSL hosts.</p> 
   </section>
   
   <section id="lockicon"><title>When I use Basic Authentication over HTTPS the
lock icon in Netscape browsers
  
  
  

Mime
View raw message