Return-Path: 
 <dev-return-52266-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 98449 invoked from network); 6 Mar 2006 02:16:25 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 6 Mar 2006 02:16:25 -0000
Received: (qmail 21677 invoked by uid 500); 6 Mar 2006 02:17:09 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 21463 invoked by uid 500); 6 Mar 2006 02:17:08 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 21452 invoked by uid 99); 6 Mar 2006 02:17:08 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 05 Mar 2006 18:17:08 -0800
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of daniel@phasevelocity.org
 designates 66.92.189.46 as permitted sender)
Received: from [66.92.189.46] (HELO spike.phasevelocity.org) (66.92.189.46)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 05 Mar 2006 18:17:07 -0800
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by spike.phasevelocity.org (Postfix) with ESMTP id DA58C1980A3
	for <dev@httpd.apache.org>; Sun,  5 Mar 2006 18:16:46 -0800 (PST)
Subject: SSL enabled name virtual hosts
From: Daniel Rogers <daniel@phasevelocity.org>
To: dev@httpd.apache.org
Content-Type: text/plain
Date: Sun, 05 Mar 2006 18:16:46 -0800
Message-Id: <1141611406.20703.58.camel@spike.phasevelocity.org>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.2 (2.0.2-22) 
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Hello all

Pardon me for being dense.

Also, I haven't searched the archives on this subject, the archive
search page was down, so I hope I am not starting a flame by rehashing
what I suspect could be a rather heated topic.


I am not convinced by the argument that name based SSL virtual hosting
is impossible.  Yes.  I understand that in order to understand your ssl
configuration you need to pick a virtual host context.  Since you don't
have the hostname the server was requested as at the time of the SSL
negotiation, you end up falling through to the default SSL host.

However, this seems like an artifact of the config file data data
organization and/or an apache implementation limitation, rather than a
limitation on the protocol itself.

For example:
Suppose  I wanted to mangle apache into doing something like name
virtual hosting for SSL enabled clients.  Here is how I envision this
being possible:

- Tell apache to listen on a new port (say, 444).
- For the default first host on port 443, I create a script, which reads
the http Host: header and then issues the exact same request on port 444
of the machine and echo's the output.
- Now create name based virtual host definitions for port 444 anywhere
you would like to have name based SSL virtual hosts.

Granted, there are some pretty serious limitations with this design.
For example:

-you would probably only want port 444 available from local interfaces
(which can be enforced with a firewall).  

-you can't create access rules based on ip address or ssl status from
within apache.

-You need to filter the response headers to keep up the facade, as it
were.  (for example, making sure you filter redirects to redirect to the
proxy script and not what the virtual host thinks it is).

-the named based virtual SSL hosts would effectively all have the
same SSL certificate.  This, however, can be dealt effectively and
completely with the SubjectAltName field of the server cert.

-numerous other issues with the documents you are serving being shown a
different port number than is actually being served.

This would have the effect that people are looking for.  One ssl enabled
host, which presents a different DocumentRoot based on the Host: http
header.  The code to do this would only be a few hundred lines in php or
perl, if you rely on an already existing http request class.

However, I don't see why this couldn't be implemented in apache, and
remove all the limitations I mentioned above, except for the need for a
certificate with a subjectAltName. For example, suppose you have a
second name virtual host style configuration directive that
looked something like:

<SSLNameVirtualHost *:443>
/all ssl options here/
</SSLNameVirtualHost>

Then, instead of picking a virtual host definition in order to be able
to negotiate the SSL session, the SSLNameVirtualHost statement would
have all that it needed to negotiate the SSL session, then, after the
SSL session is negotiated, the virtual host definitions could be
consulted for a suitable virtual host to serve to the client.  This
would allow the virtual host to define access controls again.  This
would also mean that it would be impossible to specify SSL options in a
particular virtual SSL host definition, but I would certainly be willing
to accept that limitation, especially compared to our choices now (and I
bet others would as well).

In fact, the fact that the ssl negotiation parameters have to be the
same for all the name virtual hosts would be the only significant
limitation.  And because you can use subjectAltName to specify alternate
hostnames in a SSL certificate will almost completely mitigate this
limitation for most people.

Is there any reason why this can't be implemented in apache?

Again, to be clear, I made name based virtual ssl hosts work.  The
documentation says this is impossible.  It is not.  It would, however,
work worlds better if implemented from within apache.

-- 
Daniel Rogers
daniel@phasevelocity.org