httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ivan Ristic <>
Subject Re: mod_ssl, SNI and dynamic virtual hosts
Date Tue, 25 May 2010 10:25:19 GMT
You are assuming that the domain name will be in the SSL handshake.
While it will be, in many cases, a very large number of browsers won't
send it. In particular, Internet Explorer running on Windows XP does
not support SNI. For more information, have a look at:

Once SNI becomes widely adopted (i.e. Windows XP dies), then, yes, you
may need to resort to resolving certificates at run-time to support
your setup

On Tue, May 25, 2010 at 11:03 AM, Adam Hasselbalch Hansen <> wrote:
> Adam Hasselbalch Hansen wrote:
>> We have a setup that uses an in-house module which works not entirely
>> unlike mod_vhost_alias, in that it has a single virtual host configured, and
>> then determines stuff like domain name, docroot, etc, from the request.
>> We'd love to be able to use SSL in this setup, but as far as I can see,
>> the only way to do this would be to change (i.e. hack) mod_ssl to do the
>> certificate loading sometime around request-time, since the apache server
>> and SSL have no clue what virtual hosts they will be serving at startup.
>> How would such a hack, if at all possible, affect stuff like certificate
>> caching and other things?
>> I'd love any feedback!
> Anyone?
> --
> Adam Hasselbalch Hansen
> UNIX Systems Developer, CPH
> e:, w:

Ivan Ristic
ModSecurity Handbook []
SSL Labs []

View raw message