tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <Peter.Crowt...@melandra.com>
Subject RE: HTTPS and Virtual Hosts
Date Mon, 22 Sep 2008 10:19:28 GMT
> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> I actually cant see any
> reason why the hand shake couldnt be extended to look at the
> incoming URL...

Because the URL (or at least the host header) would have to be sent over the wire in cleartext,
as it's before the encrypted connection is negotiated.  This is an information disclosure
vulnerability.

                - Peter

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message