httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Apache 1.3.27 + Namebased virtual hosts + SSL
Date Mon, 25 Nov 2002 10:55:15 GMT
Hi Dan,

I think you might be referring to my response. If so, I don't think you
quite understood what I wrote. The essential point is that, under HTTPS,
*all* information is encrypted. This *includes* the "Host" header in the
request which apache uses to find the correct VH in httpd.conf (apache
matches the Host header with the ServerName).  This means that apache
cannot decide which VH to use when it gets a HTTPS request. This is a
bit of a problem, because the certificate is defined inside the VH! So
apache cannot deccide which certificate to send. It is imperative that
you understand this Catch-22 situation...

So what's apache to do? - It doesn't just fail (maybe it should...),
instead it just goes into the *first* VH and gets the cert from there.
Once the cert has been sent to the browser and the browser and apache
have agreed on an encryption algorithm, apache can now start to decode
the requests, get the Host header and so see which VH to use.

So after the cert has been sent, name-based VHing *seems* to work (you
get the requested site in the browser). However, you always use the
first cert even for 2nd and subsequent sites. If your sites are closely
associated, maybe you don't care about this - but you are still counting
on your clients clicking "OK" when the browser warns them that "The
certificate is not for this site". This might be OK if you are on an
intranet but will never work in the real world.

As James just pointed out, you lose authentication with this set-up and
authentication is just as important as encryption in HTTPS. Encryption
is like sending your money to the bank in an armoured car,
authentication is like making sure the armoured car actually goes to the
right bank.

If you want to know more - type "SSL name-based" into Google and stand
well back...

Rgds,

Owen Boyle

>-----Original Message-----
>From: Dan Rossi [mailto:daniel@electroteque.org]
>Sent: Montag, 25. November 2002 08:29
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] Apache 1.3.27 + Namebased virtual 
>hosts + SSL
>
>
>anyone got bak to u ? i tried to ask the same question , i 
>actually got that
>working but read back a few threads and he claims its not 
>really running
>through ssl as it needs to go through http to get the header 
>for namebasing
>??
>
>-----Original Message-----
>From: Lilla [mailto:horan@gubbarna.nu]
>Sent: Monday, November 25, 2002 8:45 AM
>To: users@httpd.apache.org
>Subject: [users@httpd] Apache 1.3.27 + Namebased virtual hosts + SSL
>
>
>Hi,
>
>I read at http://httpd.apache.org/docs/vhosts/name-based.html there is
>problems using namebased virtual hosts with SSL.
>
>I have only one IP but I would like to hadle multiple domains over SSL.
>Maybe it is possbile to do that if you provide the same 
>SSL-cert for all
>the domains?
>
>Thanks for any help!!
>
>--
>Cheers,
>Lilla
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message