Re: Apache SSL named based virtual hosts
- From: Jochen Schulz <ml@xxxxxxxxxxxxxxxx>
- Date: Mon, 24 Jan 2011 21:49:08 +0100
Bob Proulx:
Boyd Stephen Smith Jr. wrote:
... Apache (from upstream) has supported it for a while and I've had
it in production (system based on Ubuntu Maverick) for a number of
months.
Re: NameVirtualHost *:443
This is good to hear but if so then how do they pull that off? I
thought for https that the certificate negotiation was tied to the IP
address? No?
The problem is/was that the TLS handshake was initiated before the HTTP
request was sent. Since only the request included the Host-Header, the
web server couldn't show a certificate for the requested domain name.
A better explanation can be found here:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
In order to fix this problem, the TLS protocol had to be extended:
http://www.ietf.org/rfc/rfc3546.txt
I only read the introduction, but it appears that the client may now
simply send the relevant hostname before the server presents its
certificate.
Modern browsers appear to support that TLS extension:
https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication#Browsers
When using this, you run into problems with IE<7, though… Personally, I
have never seen this in production.
J.
--
I wear a lot of leather but would never wear fur.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature
- References:
- Apache SSL named based virtual hosts
- From: Bob Proulx
- Apache SSL named based virtual hosts
- Prev by Date: Re: Apache SSL named based virtual hosts
- Next by Date: Re: java 5 in squeeze
- Previous by thread: Re: Apache SSL named based virtual hosts
- Next by thread: Re: Apache SSL named based virtual hosts
- Index(es):
Relevant Pages
|
