[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: NameVirtualHosts & SSL
From:       "Michael Harrison" <kenevel () hotmail ! com>
Date:       2005-10-25 18:55:06
Message-ID: BAY108-F12D31A25FE17BCE5548682B5760 () phx ! gbl
[Download RAW message or body]

Thanks Graham, Joost and Sander, I hadn't expected for Apache to need to 
know which virtual host to use so early in the request process.

Cheers

Mike

>From: Sander Temme <sctemme@apache.org>
>Reply-To: dev@httpd.apache.org
>To: dev@httpd.apache.org
>Subject: Re: NameVirtualHosts & SSL
>Date: Tue, 25 Oct 2005 11:34:40 -0700
>
>Mike,
>
>On Oct 25, 2005, at 10:43 AM, Kenevel wrote:
>
>
>>My question is why the server couldn't do some sort of reverse- lookup on 
>>its
>>register of SSL certificates that are in use. Surely the server  knows 
>>which
>>certificate it is using to service the request (or else it wouldn't  be 
>>able
>>
>
>No, it doesn't. At the moment the SSL connection handshake occurs,   the 
>server needs to present a certificate to the client. The client  has 
>certain expectations of the Common Name (CN) field of the  Distinguished 
>Name (DN) string embedded in the certificate, so it is  important that the 
>server sends the correct certificate.
>
>At this point in the handshake, the server simply doesn't know enough  of 
>what the client wants, unless the client connects to a distinct IP  address 
>and the server has a virtual host configured on that IP  address. 
>Otherwise, the decision on which virtual host to send the  request to is 
>made way too late.
>
>
>>to decrypt its contents) and hence work out which virtual host uses  that
>>certificate? This approach means of course that each name-based  virtual 
>>host
>>would have to use a different certificate - but as those sites are  more 
>>than
>>likely on different domains the certificates would necessarily be  
>>different.
>>
>
>There is an extension to the TLS ClientHello that allows the client  to 
>indicate which servername it is trying to connect to: see http:// 
>www.ietf.org/rfc/rfc3546.txt paragraph 3.1. However, I don't think  mod_ssl 
>currently supports this. mod_gnutls may be closer, you may  want to check 
>that out. Of course, until enough of your client base  supports this 
>extension it is perfectly useless to you.
>
>S.
>
>--
>sander@temme.net              http://www.temme.net/sander/
>PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF
>
>


><< smime.p7s >>


[prev in list] [next in list] [prev in thread] [next in thread]