httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] RE: ssl + apache
Date Tue, 19 Nov 2002 08:46:07 GMT
There are 3 types of VH:

ip-based: TCP/IP distinct therefore OK for SSL
port-based: TCP/IP distinct therefore OK for SSL
name-based: TCP/IP identical therefore NOT OK for SSL

Requests to name-based VHs are only distinguished by the "Host" header which is an HTTP attribute.
This is hidden during SSL negotiation so cannot be used.

It's only name-based VHs which have a problem with SSL - but this is a big problem because
all the world loves NBVHs.

>-----Original Message-----
>From: Dan Rossi [mailto:daniel@electroteque.org]
>Sent: Dienstag, 19. November 2002 09:16
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] RE: ssl + apache
>
>
>i understand you here but can you explain why then apache 2 
>has virtualhosts
>in ssl.conf ? each virtualhost can load its own certificate using this
>directive SSLCertificateFile
>
>-----Original Message-----
>From: Boyle Owen [mailto:Owen.Boyle@swx.com]
>Sent: Tuesday, November 19, 2002 7:11 PM
>To: Apache list
>Subject: [users@httpd] RE: ssl + apache
>
>
>Keep on the list, please. No personal mails.
>
>Please read http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
>The essential point is that an SSL session is negotiated between the
>client and the server before any HTTP traffic takes place. So 
>when it is
>setting up the SSL session, apache doesn't know what VH the client
>wants. However, the certificate is defined inside the VH, so it doesn't
>know which cert to use.
>
>When in doubt, apache always goes to the first VH. So running two SSL
>VHs will appear to "work" because the session will be established using
>the cert from the first VH. Thereafter, apache can see inside the HTTP
>packets and so get the Host and so decide on the correct VH to 
>serve the
>content from. However, this is not a general solution since 
>the 1st cert
>is used all the time, even if the client requests the 2nd VH.
>
>If you don't care about authentication (that the site really is what it
>says it is) then that's fine, but it wouldn't last five minutes in the
>real world (would you type your credit card number into a form on
>amazon.com if the browser was warning you that the certificate wasn't
>registered to Amazon?)
>
>Rgds,
>
>Owen Boyle
>
>>-----Original Message-----
>>From: Dan Rossi [mailto:daniel@electroteque.org]
>>Sent: Montag, 18. November 2002 21:54
>>To: Boyle Owen
>>Subject: ssl + apache
>>
>>
>>right so it may look like its https but as its mapped its
>>still http ? just
>>trying to work out the reasons why i could make it work as
>>virtualhosts but
>>having the same ip is not ok
>>
>>
>
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please notify the sender urgently
>and then immediately delete the message and any copies of it from your
>system. Please also immediately destroy any hardcopies of the message.
>You must not, directly or indirectly, use, disclose, distribute, print,
>or copy any part of this message if you are not the intended recipient.
>The sender's company reserves the right to monitor all e-mail
>communications through their networks. Any views expressed in this
>message are those of the individual sender, except where the message
>states otherwise and the sender is authorised to state them to be the
>views of the sender's company.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message