At 02:51 AM 03/26/2001 , you wrote:
>David Rees wrote:
> >
> > Please read the FAQ.
> >
> > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
> >
> > This question comes up so often it should be in the .sig of the list!
> >
>Either nobody ever reads the FAQ (quite probable) or the FAQ entry is
>rathe hard to understand (personally, my eyes glaze over when the first
>line says "the reason is very technical...").
>
>Might I propose the following addendum:
>
>
>Q: Why is it not possible to use Name-Based Virtual Hosting to identify
>different SSL virtual hosts?
>
>A: Name-Based Virtual Hosting is a very popular method of identifying
>different virtual = hosts. It allows you to use the same IP address and
>the same port number for many different sites. When people move on to
>SSL, it seems natural to assume that the same method can be used to have
>lots of different SSL virtual hosts on the same server.
>
>It comes as rather a shock to learn that it is impossible.
>
>The reason is that the SSL protocol is a separate layer which
>encapsulates the HTTP protocol. So the problem is that the SSL session
>is a separate transaction that takes place before the HTTP session even
>starts. Therefore all the server receives is an SSL request on IP
>address X and port Y (usually 443). Since the SSL request does not
>contain any Host: field, the server has no way to decide which SSL
>virtual host to use. Usually, it will just use the first one it finds
>that matches the port and IP address.
>
>You can, of course, use Name-Based Virtual Hosting to identify many
>non-SSL virtual hosts (all on port 80, for example) and then you can
>have no more than 1 SSL virtual host (on port 443). But if you do this,
>you must make sure to put the non-SSL port number on the NameVirtualHost
>directive, e.g.
>
> NameVirtualHost 192.168.1.1:80
>
>Other workaround solutions are:
>
> Use separate IP addresses for different SSL hosts.
> Use different port numbers for different SSL hosts.
>
>
>Rgds,
>
>Owen Boyle.
It appears two name based SSL sites can share the same IP address
provided they use the same certificate and key. The browser
complains about the name mismatch, but the user can browse the site.
It also appears that "DocumentRoot" and other commands work as
expected, and each site can start in its own ~secure web page.
Although this would be unacceptable for some web sites, it may be
acceptable for others.
Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
