httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Enrico Weigelt <weig...@metux.de>
Subject Re: SSL + name based virtual hosting
Date Wed, 22 Dec 2004 14:38:12 GMT
* Graham Leggett <minfrin@sharp.fm> wrote:

<snip>
> You forget that there is a trust issue here. SSL brings with it not only 
> encryption, but certification of the data that's being sent. If the SSL 
> protocol somehow allowed external unprotected and untrusted information 
> (like the name of the virtual host as you propose) into the equation, 
> you would lose the whole point of the SSL.

I dont see any problem with that. 
If something like an additional host-header is sent before the handshake
starts, its just an kind of multiplexer - allows several different 
virtual hosts (not just only for http) sitting on the same socket.

> Life is really simple right now - SSL happens on one layer, and HTTP 
> happens on the layer above that.
Life is a little bit more complex.

<snip>
> >Well, that were the same folks who invented IPSEC, which is not 
> >NAT'able.
> 
> Again, IPSEC guarantees that packets have not been tampered with, and 
> NAT tampers with packets, so it definitely won't work (although work has 
> been done to work around this problem). Don't forget the purpose of SSL: 
> verification that data has not been tampered with.
It could be so easy if ipsec was just an tunnel between two points 
with encrypted payload and some unencrypted channel identification. 
Being dependent on the carrier endpoint IPs is completely nonsense 
and doesnt add any security. But it prevents ipsec usage through 
NAT firewalls.
But linux-2.6-ipsec folks make it even worse. There's no longer an 
separate network interface per tunnel, instead theres an additional 
netfilter-like table which tells how to encrypt/decrypt for certain 
address ranges. That isn't just completely illogic, it also makes 
more complex routing/firewalling environments a real nightmare!

Okay, okay, its getting OT ...
Was just an example that IETF doesn't stand for well-engineered 
standards these days.


cu
-- 
---------------------------------------------------------------------
 Enrico Weigelt    ==   metux IT service

  phone:     +49 36207 519931         www:       http://www.metux.de/
  fax:       +49 36207 519932         email:     contact@metux.de
  cellphone: +49 174 7066481
---------------------------------------------------------------------
 -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops --
---------------------------------------------------------------------

Mime
View raw message