httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
Date Tue, 16 Jun 2015 21:54:39 GMT
On Tue, Jun 16, 2015 at 10:48 PM, karl karloff <karlkarloff@hotmail.com> wrote:
> I am attempting to set up more than one subdomain on :443 in this example.
>
> so something like
> sslv3.example.com:443 responds with SSLv3 only
> tlsv1.example.com:443 responds with TLSv1.0 only
> ...
>
> I wasn't aware that could be achieved using the ServerName directive.
>
> The underlying IP/interface should be the same for all subdomains, but each subdomain
responds by accepting only a single SSLProtocol.
>
> Does that make sense?

It does, however there is a limitation currently in OpenSSL in that it
can't renegotiate the protocol.
Hence this configuration will work only with browsers/clients
supporting (and advertising) the Server Name Indication (SNI), which
allows to select the correct VirtualHost before the negotiation
occurs.
Otherwise, Apache HTTPd will have to negotiate before being able to
read the requested Host header, and hence determine the VirtualHost.
Thus it will do the negotiation occording to the parameters (protocol,
ciphers, ...) of the first vhost declared on the listening IP:port.
If finally the determined vhost is not the one used for the
negotiation, it will ask for a renegotiation which, as said above,
won't take the SSLProtocol into consideration due to OpenSSL not being
able to do that (the SSLCipherSuite can be renegotiated though).

So all should be fine with SNI only.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message