Folks, ALL flavors of mod_ssl can do name based hosting, but it's entirely irrelevant unless you use a wildcard certificate who's pattern matches all of the domains hosted. Because the server and client handshake a specific set of certificates LONG BEFORE the client ever sends the 'Host: hostname' header. Multiple certificates for a single listener are not possible. Apache 2.1 can do Upgrade: Connection, and handshake SSL after headers are sent (therefore choosing the right certificate) but NONE of today's user agents (clients) support this for gui-based browsers such as IE or Firefox. The only user agents which do support it tend to be ssl libraries or various http-based network attached devices, such as printers. Note that http://foo.example.com/ is the syntax for non-SSL and connection upgrade (also known as STARTTLS in ldap, or explicit ssl in ftp) connections, while https://foo.example.com/ syntax is always ssl and will never support virtual hosts. The biggest problem is that you can't identify connection upgrade in the scheme name - so there's no good user interface to help the user request SSL upgrade where available and when desireable, and there's not a really good way to reinforce to the user that their 'http://foo.example.com' site is truly secure (except the little locky icon in the status bar). So GUI browser developers have so far ignored this quandry. Bill Joost de Heer wrote:
NB - Remember that you can't do name-based VHs with SSL.I think Apache 2.1 can.You think wrong.I do think it can do it too. Although the certificate of the first vhost is always used, after the traffic is decrypted the vhosts act like normal name based vhosts. If all your vhost-domains are in the same subdomain, and you have a wildcard certificate for this subdomain, SSL name based vhosting works. Joost --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx .
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|