httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Limiting SSL to a specific virtual host
Date Mon, 07 Nov 2005 18:25:26 GMT
Folks, ALL flavors of mod_ssl can do name based hosting, but it's entirely
irrelevant unless you use a wildcard certificate who's pattern matches all
of the domains hosted.  Because the server and client handshake a specific
set of certificates LONG BEFORE the client ever sends the 'Host: hostname'
header.  Multiple certificates for a single listener are not possible.

Apache 2.1 can do Upgrade: Connection, and handshake SSL after headers are
sent (therefore choosing the right certificate) but NONE of today's user
agents (clients) support this for gui-based browsers such as IE or Firefox.
The only user agents which do support it tend to be ssl libraries or various
http-based network attached devices, such as printers.

Note that http://foo.example.com/ is the syntax for non-SSL and connection
upgrade (also known as STARTTLS in ldap, or explicit ssl in ftp) connections,
while https://foo.example.com/ syntax is always ssl and will never support
virtual hosts.

The biggest problem is that you can't identify connection upgrade in the
scheme name - so there's no good user interface to help the user request SSL
upgrade where available and when desireable, and there's not a really good
way to reinforce to the user that their 'http://foo.example.com' site is
truly secure (except the little locky icon in the status bar).  So GUI
browser developers have so far ignored this quandry.

Bill

Joost de Heer wrote:
>>>>NB - Remember that you can't do name-based VHs with SSL.
>>>
>>>I think Apache 2.1 can.
>>>
>>
>>You think wrong.
> 
> 
> I do think it can do it too. Although the certificate of the first vhost
> is always used, after the traffic is decrypted the vhosts act like normal
> name based vhosts. If all your vhost-domains are in the same subdomain,
> and you have a wildcard certificate for this subdomain, SSL name based
> vhosting works.
> 
> Joost
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> .
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message