httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Harrison" <>
Subject Re: NameVirtualHosts & SSL
Date Tue, 25 Oct 2005 18:55:06 GMT
Thanks Graham, Joost and Sander, I hadn't expected for Apache to need to 
know which virtual host to use so early in the request process.



>From: Sander Temme <>
>Subject: Re: NameVirtualHosts & SSL
>Date: Tue, 25 Oct 2005 11:34:40 -0700
>On Oct 25, 2005, at 10:43 AM, Kenevel wrote:
>>My question is why the server couldn't do some sort of reverse- lookup on 
>>register of SSL certificates that are in use. Surely the server  knows 
>>certificate it is using to service the request (or else it wouldn't  be 
>No, it doesn't. At the moment the SSL connection handshake occurs,   the 
>server needs to present a certificate to the client. The client  has 
>certain expectations of the Common Name (CN) field of the  Distinguished 
>Name (DN) string embedded in the certificate, so it is  important that the 
>server sends the correct certificate.
>At this point in the handshake, the server simply doesn't know enough  of 
>what the client wants, unless the client connects to a distinct IP  address 
>and the server has a virtual host configured on that IP  address. 
>Otherwise, the decision on which virtual host to send the  request to is 
>made way too late.
>>to decrypt its contents) and hence work out which virtual host uses  that
>>certificate? This approach means of course that each name-based  virtual 
>>would have to use a different certificate - but as those sites are  more 
>>likely on different domains the certificates would necessarily be  
>There is an extension to the TLS ClientHello that allows the client  to 
>indicate which servername it is trying to connect to: see http:// 
> paragraph 3.1. However, I don't think  mod_ssl 
>currently supports this. mod_gnutls may be closer, you may  want to check 
>that out. Of course, until enough of your client base  supports this 
>extension it is perfectly useless to you.
>PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

><< smime.p7s >>

View raw message