Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 69474 invoked from network); 22 Sep 2008 10:20:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 Sep 2008 10:20:12 -0000 Received: (qmail 9126 invoked by uid 500); 22 Sep 2008 10:19:57 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 9098 invoked by uid 500); 22 Sep 2008 10:19:56 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 9075 invoked by uid 99); 22 Sep 2008 10:19:56 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Sep 2008 03:19:56 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [87.194.9.65] (HELO mail.melandra.com) (87.194.9.65) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Sep 2008 10:18:57 +0000 Received: from puma.melandra.net ([10.0.0.251]) by puma.melandra.net ([10.0.0.251]) with mapi; Mon, 22 Sep 2008 11:19:28 +0100 From: Peter Crowther To: 'Tomcat Users List' Date: Mon, 22 Sep 2008 11:19:28 +0100 Subject: RE: HTTPS and Virtual Hosts Thread-Topic: HTTPS and Virtual Hosts Thread-Index: AckcnGD/KfkegBZNQYievR08TOdorgAABEhQ Message-ID: <6715CF65287F8F408DA109EC03AC6C0D07E72896E4@puma.melandra.net> References: <48D75DF1.8010705@ice-sa.com> <000201c91c9c$6939ee90$0300000a@animal> In-Reply-To: <000201c91c9c$6939ee90$0300000a@animal> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org > From: Johnny Kewl [mailto:john@kewlstuff.co.za] > I actually cant see any > reason why the hand shake couldnt be extended to look at the > incoming URL... Because the URL (or at least the host header) would have to be sent over th= e wire in cleartext, as it's before the encrypted connection is negotiated.= This is an information disclosure vulnerability. - Peter --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org