Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (athena.apache.org: local policy)
In-Reply-To: <4D3D42D6.1080906@ics.muni.cz>
References: <AANLkTikPLhMKz1r5g+uJf6f1YcQ-fz0D5zp=EDd83vEh@mail.gmail.com>
 <OFB8B7CED7.0B6D01C6-ON8525781F.0074A903-8525781F.00751494@geigerus.com>
 <4D3D42D6.1080906@ics.muni.cz>
To: users@httpd.apache.org
MIME-Version: 1.0
Message-ID: 
 <OF9D1CDA14.0DED24EE-ON85257822.0055DB75-85257822.005606EA@geigerus.com>
From: Wolfgang.Miska@geigerus.com
Date: Mon, 24 Jan 2011 10:39:39 -0500
Content-Type: multipart/alternative;
 boundary="=_alternative 005606E885257822_="
Subject: Re: [users@httpd] Name-based SSL virtual hosts

--=_alternative 005606E885257822_=
Content-Type: text/plain; charset="US-ASCII"

Hi Martin,

Thanks for the info. Guess I have some reading to do!

My Best!

Wolfgang

Wolfgang Miska
Executive Vice President

GEIGER of Austria, Inc.
38 Pond Lane
P.O. Box 728
Middlebury, VT 05753-0728

(802) 388-3156  (802) 388-9745 Fax

www.geigerofaustria.com


Martin Kuba <makub@ics.muni.cz> 
01/24/2011 04:13 AM
Please respond to
users@httpd.apache.org


To
users@httpd.apache.org
cc

Subject
Re: [users@httpd] Name-based SSL virtual hosts


Hi Wolfgang,

there is a chicken-and-egg problem with name-based virtual hosts
and SSL. The SSL connection is established *before* HTTP communication,
so the SSL server does not know what Host: HTTP header will be sent
in the moment it decides which SSL server certificate to send.

So for SSL HTTP servers, each server needs its own IP address,
virtual named-based hosts are not possible.

There is  a solution for this problem, it is a change in the SSL protocol
which allows to send host name in the SSL handshake. However it is not
supported by all web browsers.

For details see
http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix

In a nutshell, if you want to support MSIE on Windows XP, you cannot use 
it.

I solve this by using one IP address for all SSL servers with the same DNS 
domain owner,
and a SSL server certificate that has all the server names as 
subjectAltNames.
That works for all browsers, but it is some hassle to create a new 
certificate
for all names each time a new SSL server is added.

Cheers

Martin

Dne 21.1.2011 22:18, Wolfgang.Miska@geigerus.com napsal(a):
> Hi,
>
> I am not too familiar with Apache, so the following message has stumped 
me.
>
> [warn] Init: Name-based SSL virtual hosts only work for clients with TLS 
server name indication support (RFC 4366)
>
> Can somebody explain what that means and what are the consequences?
>
> Thanks so much!
>
>
> Wolfgang


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Supercomputing Center Brno             Martin Kuba
Institute of Computer Science    email: makub@ics.muni.cz
Masaryk University             http://www.ics.muni.cz/~makub/
Botanicka 68a, 60200 Brno, CZ     mobil: +420-603-533775
--------------------------------------------------------------


--=_alternative 005606E885257822_=
Content-Type: text/html; charset="US-ASCII"

<font size=2 face="sans-serif">Hi Martin,</font>
<br>
<br><font size=2 face="sans-serif">Thanks for the info. Guess I have some
reading to do!</font>
<br>
<br><font size=2 face="sans-serif">My Best!</font>
<br>
<br><font size=2 face="sans-serif">Wolfgang</font>
<br>
<br><font size=2 face="sans-serif">Wolfgang Miska<br>
Executive Vice President<br>
<br>
GEIGER of Austria, Inc.<br>
38 Pond Lane<br>
P.O. Box 728<br>
Middlebury, VT 05753-0728<br>
<br>
(802) 388-3156 &nbsp;(802) 388-9745 Fax<br>
<br>
</font><a href=www.geigerofaustria.com><font size=2 face="sans-serif">www.geigerofaustria.com</font></a>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Martin Kuba &lt;makub@ics.muni.cz&gt;</b>
</font>
<p><font size=1 face="sans-serif">01/24/2011 04:13 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
users@httpd.apache.org</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">users@httpd.apache.org</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [users@httpd] Name-based
SSL virtual hosts</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><tt><font size=2>Hi Wolfgang,<br>
<br>
there is a chicken-and-egg problem with name-based virtual hosts<br>
and SSL. The SSL connection is established *before* HTTP communication,<br>
so the SSL server does not know what Host: HTTP header will be sent<br>
in the moment it decides which SSL server certificate to send.<br>
<br>
So for SSL HTTP servers, each server needs its own IP address,<br>
virtual named-based hosts are not possible.<br>
<br>
There is &nbsp;a solution for this problem, it is a change in the SSL protocol<br>
which allows to send host name in the SSL handshake. However it is not<br>
supported by all web browsers.<br>
<br>
For details see<br>
</font></tt><a href=http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix><tt><font size=2>http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix</font></tt></a><tt><font size=2><br>
<br>
In a nutshell, if you want to support MSIE on Windows XP, you cannot use
it.<br>
<br>
I solve this by using one IP address for all SSL servers with the same
DNS domain owner,<br>
and a SSL server certificate that has all the server names as subjectAltNames.<br>
That works for all browsers, but it is some hassle to create a new certificate<br>
for all names each time a new SSL server is added.<br>
<br>
Cheers<br>
<br>
Martin<br>
<br>
Dne 21.1.2011 22:18, Wolfgang.Miska@geigerus.com napsal(a):<br>
&gt; Hi,<br>
&gt;<br>
&gt; I am not too familiar with Apache, so the following message has stumped
me.<br>
&gt;<br>
&gt; [warn] Init: Name-based SSL virtual hosts only work for clients with
TLS server name indication support (RFC 4366)<br>
&gt;<br>
&gt; Can somebody explain what that means and what are the consequences?<br>
&gt;<br>
&gt; Thanks so much!<br>
&gt;<br>
&gt;<br>
&gt; Wolfgang<br>
<br>
<br>
-- <br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Supercomputing Center Brno &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Martin
Kuba<br>
Institute of Computer Science &nbsp; &nbsp;email: makub@ics.muni.cz<br>
Masaryk University &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </font></tt><a href=http://www.ics.muni.cz/~makub/><tt><font size=2>http://www.ics.muni.cz/~makub/</font></tt></a><tt><font size=2><br>
Botanicka 68a, 60200 Brno, CZ &nbsp; &nbsp; mobil: +420-603-533775<br>
--------------------------------------------------------------<br>
<br>
</font></tt>
<br>
--=_alternative 005606E885257822_=--