[Techtalk] SSL and name-based virtual hosting
Luke Woods
lwoods at netstarnetworks.com
Mon Sep 15 00:17:18 EST 2003
There are a couple of reasons why you need to assign an SSL key to a
certain virtual host.
1) SSL keys are created for an exact hostname, eg. www.secure.com. You
-are- able to add in more then one "name" per virtual host, however this
will pop up a message to the user stating that the site you are going to
(eg. Someothersite.com) is not the site the key was created for,
therefore the users browser will pop up a message stating that the
validity of the key can't be assured.
2) When you configure a virtual host for an SSL key it binds to the
configured address (Real world IP address assigned to that machine) a
daemon listening on port 443 (https) specifically for that SSL key. This
is the case simply because all of the HTTP transaction is encrypted,
included the host header, making it impossible to do name based virtual
hosts with SSL.
I hope this is of some help.
Regards,
Luke Woods.
-----Original Message-----
From: techtalk-bounces at linuxchix.org
[mailto:techtalk-bounces at linuxchix.org] On Behalf Of J Neefer!
Sent: Sunday, 14 September 2003 2:10 PM
To: techtalk at linuxchix.org
Subject: Re: [Techtalk] SSL and name-based virtual hosting
On Sep 12, 2003 at 04:35PM (-0400), Katie Bechtold said:
> I read the following in the documentation for Apache 2.0:
>
> "Name-based virtual hosting cannot be used with SSL secure servers
> because of the nature of the SSL protocol."
>
> I'm curious about that statement. Despite running an SSL-enabled web
> server, I know little about SSL. What is it about the SSL protocol
> that is incompatible with name-based virtual hosting?
I think they are trying to get across the point that SSL certs are
registered to a specific server hostname.
Therefore if you are using name-based virtual hosting on a server with
an SSL cert, all but one of the virtual hosts will not match
the name of the SSL cert. When you try to make an SSL connection to
a hostname that has a cert, the browser compares the hostname your
browser requested to the one in the cert, and returns an error on a
mismatch.
I would guess that you could work around this by buying an SSL cert
for each virtual domain -- but the above-quoted documentation may
be indicating that Apache doesn't have a way to specify in the config
file that one virtual host should use a different SSL key/cert than
another virtual host.
--Neef
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk
More information about the Techtalk
mailing list