httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] adding SSL - is a distinct virtual host mandatory?
Date Tue, 04 Oct 2005 07:06:33 GMT
> -----Original Message-----
> From: William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net]
> Sent: Dienstag, 4. Oktober 2005 08:50
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] adding SSL - is a distinct virtual host
> mandatory?
> 
> 
> Boyle Owen wrote:
> > 
> > Just to clear up some apparent confusion on this thread: I 
> think the point everyone is missing is that an SSL-encrypted 
> website uses a *different protocol* than plain old HTTP. 
> Instead of thinking of SSL as some sort of add-on (like 
> mod_perl) to a "normal" website, look carefully at the 
> protocol part of the address - it is "https". So, at a 
> network level, HTTPS is as distinct from HTTP as FTP or SMTP.
> 
> To correct you, the PROTOCOL remains HTTP, e.g., the 
> https://localhost/
> request sends...
> 
> GET / HTTP/1.1
> Host: localhost

Well, I was trying to clear some confusion without everyone's eyes glazing over. That inevitably
means taking shortcuts with the precise details of HTTPS session negotiation.

What you are actually looking at above is the the HTTP session that occurs *after* the HTTPS
channel has been established. As you probably know, the first thing that happens when an HTTPS
client contacts a server is that it obtains the server's public key which it then uses while
the client and server negotiate which cipher to use and decide on a symmetric key. Once the
encrypted session has been established, the internal protocol is indeed HTTP.

The precise description is to say that HTTPS encapsulates HTTP. That is, it is *additional*
layer on the protocol stack, rather than a replacement.

This is the root of the famous can't-do-name-based-VH-with-SSL problem. As you mention, the
upgrade facility solves this by further encapsulating HTTPS in an outer layer of HTTP (kind
of...) and I'm sure we all can't wait for that to happen :-)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

PS - the point remains; you can't serve HTTPS and HTTP on the same socket - which is what
the guy was originally wondering about.

> 
> (notice, no 'https').
> 
> Yes, mod_ssl will change the scheme to https, but that's incidental.
> 
> > Once you see that, you should see that obviously it needs a 
> distinct TCP/IP socket (ie, IP address and/or port number).
> 
> Sort of - kind of.
> 
> Pure SSL, yes, must be on a different socket.
> 
> The http/ssl upgrade facility (RFC 2817) provides a mechanism for
> clients to connect with plain text, and then switch to ssl.
> 
> Granted, I'm being pedantic, since no modern client supports this.
> Apache 2.1-dev does, some hacks at 2.0 do, and many network print
> devices handle it.  This has the advantage that the client sends
> the upgrade request with a Host: header, so that name-based, SSL
> vhosting becomes a possibililty.
> 
> Bill
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary
or legally privileged information. No confidentiality or privilege is waived or lost by any
mistransmission. If you receive this message in error, please notify the sender urgently and
then immediately delete the message and any copies of it from your system. Please also immediately
destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the intended recipient.
The sender’s company reserves the right to monitor all e-mail communications through their
networks. Any views expressed in this message are those of the individual sender, except where
the message states otherwise and the sender is authorised to state them to be the views of
the sender’s company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message