Return-Path: 
 <dev-return-62778-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 65779 invoked from network); 23 Nov 2008 23:09:36 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 23 Nov 2008 23:09:36 -0000
Received: (qmail 38508 invoked by uid 500); 23 Nov 2008 23:09:43 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 38460 invoked by uid 500); 23 Nov 2008 23:09:43 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 38451 invoked by uid 99); 23 Nov 2008 23:09:43 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 23 Nov 2008 15:09:43 -0800
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [88.198.58.135] (HELO goten.sonance.net) (88.198.58.135)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 23 Nov 2008 23:08:15 +0000
Received: from localhost (localhost.localdomain [127.0.0.1])
	by goten.sonance.net (Postfix) with ESMTP id A9A0557B2D;
	Mon, 24 Nov 2008 00:08:22 +0100 (CET)
Received: from goten.sonance.net ([127.0.0.1])
	by localhost (goten.sonance.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id exyMRo8+DcKW; Mon, 24 Nov 2008 00:08:22 +0100 (CET)
Received: from viento.local (localhost.localdomain [127.0.0.1])
	by goten.sonance.net (Postfix) with ESMTP id A055E57B29;
	Mon, 24 Nov 2008 00:08:21 +0100 (CET)
Message-ID: <4929E264.3010509@iang.org>
Date: Sun, 23 Nov 2008 18:08:20 -0500
From: Ian G <iang@iang.org>
User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: Name based virtual host ssl clever solution
References: <1227444490.5622.ezmlm@httpd.apache.org>
In-Reply-To: <1227444490.5622.ezmlm@httpd.apache.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org


> I'm not sure if any browser available currently support this, but I
> suppose none. Maybe if it became RFC, you might get Mozilla folks
> interested with this :)

As far as I know, Mozilla guys are hanging out for TLS/SNI, as is the 
rest of the world.  They and the other browsers have been ready for 
ages.   There was a big push around 2005-2006 to get over to full TLS 
because of SSLv2 bug and the emergence of phishing as an MITM.

TLS/SNI is the "real fix" for the bug, whereas other tricks (and there 
are quite a few of them) are all suspect for one reason or another; 
when you try them you discover what goes wrong.  There's a list of 
possibilities here:

http://wiki.cacert.org/wiki/VhostTaskForce
http://en.wikipedia.org/wiki/Server_Name_Indication

TLS/SNI is working in Apache httpd, and has been for a while, but is 
unreleased.  I don't know or understand the reason for that.



iang