httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@apache.org
Subject Re: [users@httpd] SSL server problem
Date Thu, 10 Oct 2002 22:56:55 GMT

The problem is that in order to use SSL, the server must know which
cert/key to use, but in order to know which cert.key to use, it must know
wihch Host the reqeust is for.  In SSL, The Host header (the header that
tells the server which Name-based Vhost to use) is encrypted, and it can't
be unencrypted until you have the cert/key.  It's a chicken and egg
problem.

There is a solution, namely the Upgrade: header, which tells the server to
upgrade to SSL.  I have the code written for Apache 2.0, but I haven't had
time to test it yet.  Once I get it committed you will still have the
problem that no clients support this feature yet.

Ryan

On Thu, 10 Oct 2002, Matt Harris wrote:

> Weird.  I thought I remembered doing it OK on apache 1.3.x a long time
> ago.  This is my first delve into Apache 2.  What's required to fix
> SSL?  Is it a problem with mod_ssl or OpenSSL itself?  I'd be interested
> in taking a look deeper into this to see if there's a way/hack around
> it, or maybe just fixing the code myself.  
> 
> "Nelson, Robert D." wrote:
> > 
> > Matt:
> > 
> > You can't run two different SSL hosts on a single IP.  Each host must have
> > its own IP address.  This is not an Apache issue, it's an SSL issue.
> > 
> >  ~ Robert
> > 
> > > -----Original Message-----
> > > From: Matt Harris [mailto:mdh@mdh.si.edu]
> > > Sent: Thursday, October 10, 2002 5:17 PM
> > > To: users@httpd.apache.org
> > > Subject: [users@httpd] SSL server problem
> > >
> > >
> > > I have multiple NameVirtualHost entries on my server.  I've
> > > noticed that
> > > this makes apache 2.x send only the certificate listed in the first
> > > vhost entry for all of them.  For example I have vhosts entries for
> > > secure.unix.mydomain, and qip.mydomain.  Both have unique csr/key/crt
> > > files, and both are explicitly stated as such in their VirtualHost
> > > directives.  They are NamevirtualHosts on my server's single IP
> > > address.  But for some reason, when going to
> > > https://qip.mydomain, I get
> > > an error that the certificate being presented is for
> > > secure.unix.mydomain.  Why is this?  Is there a way to fix this?
> > > Thanks, Matt.
> > >
> > > --
> > > /*
> > >  *
> > >  * Matt Harris - Senior UNIX Systems Engineer
> > >  * Smithsonian Institution, OCIO
> > >  *
> > >  */
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP
> > > Server Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > 
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

-- 

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message