[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: Re: NameVirtualHosts & SSL
From: "Michael Harrison" <kenevel () hotmail ! com>
Date: 2005-10-25 18:55:06
Message-ID: BAY108-F12D31A25FE17BCE5548682B5760 () phx ! gbl
[Download RAW message or body]
Thanks Graham, Joost and Sander, I hadn't expected for Apache to need to
know which virtual host to use so early in the request process.
Cheers
Mike
>From: Sander Temme <sctemme@apache.org>
>Reply-To: dev@httpd.apache.org
>To: dev@httpd.apache.org
>Subject: Re: NameVirtualHosts & SSL
>Date: Tue, 25 Oct 2005 11:34:40 -0700
>
>Mike,
>
>On Oct 25, 2005, at 10:43 AM, Kenevel wrote:
>
>
>>My question is why the server couldn't do some sort of reverse- lookup on
>>its
>>register of SSL certificates that are in use. Surely the server knows
>>which
>>certificate it is using to service the request (or else it wouldn't be
>>able
>>
>
>No, it doesn't. At the moment the SSL connection handshake occurs, the
>server needs to present a certificate to the client. The client has
>certain expectations of the Common Name (CN) field of the Distinguished
>Name (DN) string embedded in the certificate, so it is important that the
>server sends the correct certificate.
>
>At this point in the handshake, the server simply doesn't know enough of
>what the client wants, unless the client connects to a distinct IP address
>and the server has a virtual host configured on that IP address.
>Otherwise, the decision on which virtual host to send the request to is
>made way too late.
>
>
>>to decrypt its contents) and hence work out which virtual host uses that
>>certificate? This approach means of course that each name-based virtual
>>host
>>would have to use a different certificate - but as those sites are more
>>than
>>likely on different domains the certificates would necessarily be
>>different.
>>
>
>There is an extension to the TLS ClientHello that allows the client to
>indicate which servername it is trying to connect to: see http://
>www.ietf.org/rfc/rfc3546.txt paragraph 3.1. However, I don't think mod_ssl
>currently supports this. mod_gnutls may be closer, you may want to check
>that out. Of course, until enough of your client base supports this
>extension it is perfectly useless to you.
>
>S.
>
>--
>sander@temme.net http://www.temme.net/sander/
>PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>
>
><< smime.p7s >>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic