Jochen Schulz wrote: > The problem is/was that the TLS handshake was initiated before the > HTTP request was sent. Since only the request included the > Host-Header, the web server couldn't show a certificate for the > requested domain name. A better explanation can be found here: > > http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
Right. That has been the limitation for a long time. Being well aware of that limitation was why I was asking about this when I heard otherwise. Boyd Stephen Smith Jr. wrote: > http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI Jochen Schulz wrote: > In order to fix this problem, the TLS protocol had to be extended: > http://www.ietf.org/rfc/rfc3546.txt > I only read the introduction, but it appears that the client may now > simply send the relevant hostname before the server presents its > certificate. I have been waiting for just such a feature to appear! All very interesting references. Thanks both of you for sharing those them. > Modern browsers appear to support that TLS extension: > https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication#Browser\ s I will implement this in a test installation and get some experience with this feature. The future looks brighter! > When using this, you run into problems with IE<7, though… > Personally, I have never seen this in production. Let me vilify MSIE 6 and say that it needs to die. Its use is damaging to the community. Unfortunately I still need to deal with MSIE 6 and can't ignore it. I have a client who provides management training classes and looking just now I see that 28% of his paying customers in the last six months used MSIE 6. Most of those are from corporate accounts where a large bureaucratic IT department controls everything with an iron fist. In this economy it isn't a good idea to walk away from the money of a paying customer. And so I am still dealing with MSIE 6. But of course that is just one situation. For other situations things will go the other way. I have one site in particular where this isn't a limitation and could really benefit from this feature. I will try it out there and I am confident there won't be any issues with it. If more sites implemented SNI and prevented MSIE6 from functioning then it would cause greater pressure for those users to move forward to another browser. In that spirit I think everyone should implement it! If everyone did then the MSIE6 problem would be forced to be resolved very quickly. Bob
signature.asc
Description: Digital signature