httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf S. Engelschall" <>
Subject Re: SSL mass-vhosting
Date Fri, 11 Jun 1999 18:34:27 GMT

In article <001d01beb408$6dbb92e0$0500a8c0@delf> you wrote:
> On Friday, May 21, 1999 3:09 AM, Tony Finch wrote:
>> BTW, something I have been thinking about but haven't investigated yet
>> is mass SSL vhosting. Demon uses IP vhosting for historical reasons
>> but other than that the main reason to do things that way is SSL. It
>> would be cool to get mod_ssl to magically find a vhost's certificate
>> on the fly in a similar manner to mod_vhost_alias and the document
>> root. I haven't got my head round SSLeay yet so this idea probably
>> won't happen until Demon decide they want to do SSL vhosting, unless
>> anyone else wants to do it...
> I think all the certificate and private key files are loaded in the server
> init phase and then stored by mod_ssl. So, it seems that getting mass SSL
> vhosting to work would be more of a trick than just dynamically creating the
> crt/key path from each request... but more of making the crt/key cache
> dynamic.
> Ralf, can you offer any guidance?

mod_ssl reads all cert/keys on init, correct. And it decides which one to use
on a per request, or more correct, on a per connection basis. But the point
you miss for "SSL mass virtual hosting" is this: EVERY DECISION you want to do
at the HTTP level for the "mass virtual hosting" WILL NOT WORK.  Why? Because
you decide too late. The cert/key has to be already known _before_ any bytes
of HTTP request will be transferred over the network.  That's a chicken and
egg problem and I'm 99.5% sure you cannot adapt the old "mass virtual hosting"
idea for HTTPS, at least not for solving the cert/key selection problem.  I
would be happy when someone proofs me to be wrong, but I no chance here :-(
The only way this could be solves is when the SSL layer's Hello messages
already contain the virtual host:port information. But SSLv3/TLSv1 doesn't
support this.
                                       Ralf S. Engelschall

View raw message