> Can someone maybe, just a little bit, say something about what SNI might be, > and/or point to some Apache doc related to it ? > I feel (again) like some acronym passed me by. > And yes, I'll go check that FAQ, but as of right now in Western Europe, it > does not talk of SNI yet. When a client issues a HTTP/1.1 requests, they supply the desired Hostname in the Host: header. Apache uses this to determine which name-based vhost to use. When a client does HTTP over SSL, and both sides don't do SNI, Apache has to perform the full handshake using parameters available before the HTTP Host header is available -- currently just the IP and Port the connection is being handled on. Apache can pick the cert and cipher settings from the right IP-based vhost, but can't think about ServerName/ServerAlias. When a client does HTTP over SSL and both sides use SNI, the clients initial TLS handshake includes a string that indicates the requested servers hostname (Server Name Indication). A webserver and a security library that understand this special extension can use it to select a certificate/ciphers based on this very early information. So net it's like the HTTP/1.1 Host: header but its stuffed into an early handshake message, so the server can select handshake parameters from name-based vhosts. -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|