Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 3 Oct 2002 10:33:43 +0200
Message-ID: 
 <484A6CA492BE654395D208B1D8D5393972F683@SOMEXEVS001.ex.ordersx.org>
Thread-Topic: [users@httpd] Virtual host question
Thread-Index: AcJqT9yuL9017NUwTnuM6nmjrPGJSgAZccrA
From: "Boyle Owen" <Owen.Boyle@swx.com>
To: <users@httpd.apache.org>
Subject: RE: [users@httpd] Virtual host question

What are you talking about? You simply cannot do name-based virtual =
hosting under SSL. No way. Not possible.=20

The problem is not with apache but with TCP/IP and HTTP. Apache has to =
decide which virtual host to use based on only the TCP/IP attributes (IP =
and port) - it does not have access to the "Host" header because the =
HTTP traffic is encrypted (Remember - the certificate is defined =
*inside* the virtualhost, so apache doesn't know which cert to use until =
it decrypts the packet. But it can't decrypt the packet until it gets a =
session going - which it can't do unless it sends a cert! It's the old =
Catch-22, chicken-and-egg thing).

Apache can listen all it likes to port 4430 (just put "Listen 4430" in =
the config). But then you have to tell the whole world that your server =
is listening to this port. Otherwise "https://yourserver/ will go to =
port 443.

You have two workarounds:

- IP based VHs
- port-based VHs (although the non-443 VH will need to have its port =
number hardcoded in URLs)

Another "pretend-SSL" solution is to use the same cert in all VHS. This =
will "work" but only because apache always uses the first VH if it can't =
figure out which to choose. So the cert in the first VH is used to =
establish a session. After that, apache can see the HTTP headers and so =
routes the request to the appropriate VH so you get the correct site. =
The problem is that the FQDN in the cert only matches the first VH and =
so all other VHs pop-up a "site name doesn't match cert" warning in the =
browser. Also, you have just lost authentication - which is as much a =
part of SSL as encryption.

>-----Original Message-----
>From: William C (Bill) Jones [mailto:wcjones@fccj.edu]
>Sent: Mittwoch, 2. Oktober 2002 22:10
>To: users@httpd.apache.org
>Subject: Re: [users@httpd] Virtual host question
>
>
>On 10/2/02 3:38 PM, "Chad Arimura" <news-apache@alldorm.com> wrote:
>
>>=20
>> I agree with you, so how much work is involved in=20
>configuring modssl and
>> apache to listen for https requests on port 4430 by default?
>
>
>Never done it - but I will know something this weekend.
>
>-Bill-  :]
>_Sx____________________
>  ('>    iudicium ferat
>  //\   Have Computer -
>  v_/_    Will Hack...
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP=20
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org