From dev-return-26456-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Tue Feb 19 07:15:39 2002 Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 78961 invoked by uid 500); 19 Feb 2002 07:15:37 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 78948 invoked from network); 19 Feb 2002 07:15:37 -0000 Date: Mon, 18 Feb 2002 23:15:41 -0800 From: Aaron Bannert To: george+apache@m5p.com Cc: apbugs@Apache.Org, dev@httpd.apache.org Subject: Re: other/9871: Server presents wrong certificate with NameVirtualHost Message-ID: <20020218231541.F23835@clove.org> Mail-Followup-To: Aaron Bannert , george+apache@m5p.com, apbugs@Apache.Org, dev@httpd.apache.org References: <20020219063135.65863.qmail@apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020219063135.65863.qmail@apache.org> User-Agent: Mutt/1.3.23i X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Tue, Feb 19, 2002 at 06:31:35AM -0000, George Mitchell wrote: > With multiple virtual hosts sharing one IP address (named virtual hosts), > the SSL module always presents the certificate from the first NameVirtualHost > regardless of the Host: in the request from the client. However, the data > which gets served comes from the proper VirtualHost DocumentRoot. Since the Host: header is part of the encrypted stream, it is not known to the server by the time the cert is required to establish an SSL connection. For this reason it is not possible to do name-based virtual hosting w/ SSL. Perhaps we should make this an explicit failure condition in the mod_ssl code? -aaron