httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <>
Subject Re: NameVirtualHosts & SSL
Date Tue, 25 Oct 2005 18:32:56 GMT

On Oct 25, 2005, at 10:43 AM, Kenevel wrote:

> My question is why the server couldn't do some sort of reverse- 
> lookup on its
> register of SSL certificates that are in use. Surely the server  
> knows which
> certificate it is using to service the request (or else it wouldn't  
> be able

No, it doesn't. At the moment the SSL connection handshake occurs,   
the server needs to present a certificate to the client. The client  
has certain expectations of the Common Name (CN) field of the  
Distinguished Name (DN) string embedded in the certificate, so it is  
important that the server sends the correct certificate.

At this point in the handshake, the server simply doesn't know enough  
of what the client wants, unless the client connects to a distinct IP  
address and the server has a virtual host configured on that IP  
address. Otherwise, the decision on which virtual host to send the  
request to is made way too late.

> to decrypt its contents) and hence work out which virtual host uses  
> that
> certificate? This approach means of course that each name-based  
> virtual host
> would have to use a different certificate - but as those sites are  
> more than
> likely on different domains the certificates would necessarily be  
> different.

There is an extension to the TLS ClientHello that allows the client  
to indicate which servername it is trying to connect to: see http:// paragraph 3.1. However, I don't think  
mod_ssl currently supports this. mod_gnutls may be closer, you may  
want to check that out. Of course, until enough of your client base  
supports this extension it is perfectly useless to you.


PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF

View raw message