tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <>
Subject Re: HTTPS and Virtual Hosts
Date Mon, 22 Sep 2008 10:14:09 GMT

----- Original Message ----- 
From: "André Warnier" <>
To: "Tomcat Users List" <>
Sent: Monday, September 22, 2008 10:57 AM
Subject: HTTPS and Virtual Hosts

> Hi.
> I'm not an expert at anything below, that's why I am asking.
> I am also not looking for a very precise answer, just a rough summary.
> The question :
> As I remember from reading about this a while ago, there is/was a 
> fundamental incompatibility between the HTTP Virtual Host mechanism, and 
> HTTPS/SSL, in the sense that there is some egg-and-chicken problem 
> involved, which roughly goes like this :
> - the client connects to the host and requests an encrypted connection to 
> a certain hostname
> - the host and client negociate the encryption (based or not on the name 
> of the host)
> - on subsequent requests, the client sends the request encrypted, 
> including the "Host:" header that (acording to the HTTP protocol) should 
> indicate the name of the Virtual Host it wants to talk to
> - the server should decode the request (including this "Host:" HTTP 
> header) in order to determine which Host the request is addressed to, but 
> it can't because it does not know which host it is yet, and thus cannot 
> decode the request
> - we are thus stuck
> Is the above, very roughly and approximatively still a valid explanation 
> of what happens, or is it totally wrong, or has something changed 
> in-between that I am unaware of ?
> Thanks


Mmmmmmm yes... kinda

Andre check out the hand shake in SSL...
Keeping it very conceptual... the secure system between a browser and server 
is owned by Verisign, or GoDaddy, or whatever CA.

And it is checking a few things...
Like the domain name used and the expiry date...

So when you buy a cert and give them
Thats it...

This is because the cert is pulled (checked) during the handshake... and 
"host headers" only come later...

.... thats the official version of the story, but I actually cant see any 
reason why the hand shake couldnt be extended to look at the incoming URL... 
other than people would start doing server tricks and making extra free 
certs ;)

I conclude... its more about biz, that it is about technology.... 
certificates are sold per domain... this is the real issue ;)

Its actually interesting, because when we were making the Pojo server, this 
issue came up... especially because we want to give the company using the 
system the ability to be a CA... so we dropped the domain check, and then 
the only condition on the server is that the administrator knows the private 
... clearly a really crap biz model because one can use the certs on a 
million servers... but an interesting thing happens...

... virtual host are NOT and issue
... Its secure on any port

Ha ha... its about the biz model.... I believe ;)

Hell they got to make money and it is beeeeeeeeeeeeeeeeeeg bucks... a local 
chap made a cool 3 billion dollars out of his CA ;)

.... Yup... I think its about biz ;)

The most powerful application server on earth.
The only real POJO Application Server.
See it in Action :

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message