RE: [users@httpd] adding SSL - is a distinct virtual host mandatory?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: William A. Rowe, Jr. [mailto:wrowe@xxxxxxxxxxxxx]
> Sent: Dienstag, 4. Oktober 2005 08:50
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re: [users@httpd] adding SSL - is a distinct virtual host
> mandatory?
> 
> 
> Boyle Owen wrote:
> > 
> > Just to clear up some apparent confusion on this thread: I 
> think the point everyone is missing is that an SSL-encrypted 
> website uses a *different protocol* than plain old HTTP. 
> Instead of thinking of SSL as some sort of add-on (like 
> mod_perl) to a "normal" website, look carefully at the 
> protocol part of the address - it is "https". So, at a 
> network level, HTTPS is as distinct from HTTP as FTP or SMTP.
> 
> To correct you, the PROTOCOL remains HTTP, e.g., the 
> https://localhost/
> request sends...
> 
> GET / HTTP/1.1
> Host: localhost

Well, I was trying to clear some confusion without everyone's eyes glazing over. That inevitably means taking shortcuts with the precise details of HTTPS session negotiation.

What you are actually looking at above is the the HTTP session that occurs *after* the HTTPS channel has been established. As you probably know, the first thing that happens when an HTTPS client contacts a server is that it obtains the server's public key which it then uses while the client and server negotiate which cipher to use and decide on a symmetric key. Once the encrypted session has been established, the internal protocol is indeed HTTP.

The precise description is to say that HTTPS encapsulates HTTP. That is, it is *additional* layer on the protocol stack, rather than a replacement.

This is the root of the famous can't-do-name-based-VH-with-SSL problem. As you mention, the upgrade facility solves this by further encapsulating HTTPS in an outer layer of HTTP (kind of...) and I'm sure we all can't wait for that to happen :-)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

PS - the point remains; you can't serve HTTPS and HTTP on the same socket - which is what the guy was originally wondering about.

> 
> (notice, no 'https').
> 
> Yes, mod_ssl will change the scheme to https, but that's incidental.
> 
> > Once you see that, you should see that obviously it needs a 
> distinct TCP/IP socket (ie, IP address and/or port number).
> 
> Sort of - kind of.
> 
> Pure SSL, yes, must be on a different socket.
> 
> The http/ssl upgrade facility (RFC 2817) provides a mechanism for
> clients to connect with plain text, and then switch to ssl.
> 
> Granted, I'm being pedantic, since no modern client supports this.
> Apache 2.1-dev does, some hacks at 2.0 do, and many network print
> devices handle it.  This has the advantage that the client sends
> the upgrade request with a Host: header, so that name-based, SSL
> vhosting becomes a possibililty.
> 
> Bill
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender’s company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender’s company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux