httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yehuda Katz <>
Subject Re: [users@httpd] Virtual Hosts and SSL Puzzler
Date Tue, 22 Oct 2013 13:22:09 GMT
On Tue, Oct 22, 2013 at 9:10 AM, Chris Gordon <> wrote:

>  SSL wraps http and you need a cert to decrypt the data sent via SSL.  If
> you have 3 virtual hosts and you are using Name Based Virtual Hosting how
> does the Apache web server know which cert to use to decrypt and read the
> header so it can properly route the data.  The short answer per my
> understanding is that Apache has no clue and uses the default vhost's
> cert (the first one in the confi file) to read the SSL.  If these were all
> the same domain such as, and could get
away with using the same *.
> wildcard cert.   Here is a good doc with these work arounds:
> I'm guessing your problem is somewhere in this domain.  I believe that
> Name Based Virtual Hosting is not the answer for you.  Try IP Based:

If that were the case, the browser would show a certificate error on all
but one host, not a partial error on just one of them.
I would go with Pete's answer first (that there might be images or
javascript served from http).

> or use a wildcard cert...  Here is a warning about your config and a
> better explanation I presume:
> I just ran into this.  Silly me for not realizing that a Web Server that
> routes bases on headers would need to read the encrypted header to route
> it.  Chicken-Egg problem.

There is a solution for this which Apache supports: Server Name Indication
This lets the browser send the domain name requested before Apache chooses
a certificate to help it choose the correct one.


- Y

View raw message