httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: SSL with NameVirtualHosts?
Date Sun, 07 Apr 2002 05:58:42 GMT
At 11:35 PM 4/6/2002, you wrote:
>I know that the docs say it's not possible, but is it theoretically
>possible? It would be really nice to have this feature.

Obverse... it's physically possible.  It isn't theoretically possible.

Client request: open SSL connection to server [no headers sent]

Server response: negotate SSL Session with a key, based on
no information other than the client ip/port or server listener.

Client response: complete SSL negotiation.

Then the client sends the headers; Host: hostname... but we
already negotiated the key of the wrong vhost.

RFC2817 "Upgrading to TLS Within HTTP/1.1" proposes the client
sends a plain text request with headers, requesting the server
upgrade to a TLS connection for a specific host.  But no browser or
server that I'm aware of actually implements this new mechanism.
Yes - it would be terrific if Apache was the first implementation, but
we still need client support to have any impact.

So really, no, named virtual hosts today cannot be used with SSL.
The directives all work, but the key sent is based on the physical
port and/or the default vhost, not the Host: header.  Sorry.


View raw message