httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject [users@httpd] RE: ssl + apache
Date Tue, 19 Nov 2002 08:10:57 GMT
Keep on the list, please. No personal mails.

Please read http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

The essential point is that an SSL session is negotiated between the
client and the server before any HTTP traffic takes place. So when it is
setting up the SSL session, apache doesn't know what VH the client
wants. However, the certificate is defined inside the VH, so it doesn't
know which cert to use.

When in doubt, apache always goes to the first VH. So running two SSL
VHs will appear to "work" because the session will be established using
the cert from the first VH. Thereafter, apache can see inside the HTTP
packets and so get the Host and so decide on the correct VH to serve the
content from. However, this is not a general solution since the 1st cert
is used all the time, even if the client requests the 2nd VH. 

If you don't care about authentication (that the site really is what it
says it is) then that's fine, but it wouldn't last five minutes in the
real world (would you type your credit card number into a form on
amazon.com if the browser was warning you that the certificate wasn't
registered to Amazon?)

Rgds,

Owen Boyle

>-----Original Message-----
>From: Dan Rossi [mailto:daniel@electroteque.org]
>Sent: Montag, 18. November 2002 21:54
>To: Boyle Owen
>Subject: ssl + apache
>
>
>right so it may look like its https but as its mapped its 
>still http ? just
>trying to work out the reasons why i could make it work as 
>virtualhosts but
>having the same ip is not ok
>
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message