Deocs Postmaster wrote:
> It appears two name based SSL sites can share the same IP address
> provided they use the same certificate and key. The browser
> complains about the name mismatch, but the user can browse the site.
> It also appears that "DocumentRoot" and other commands work as
> expected, and each site can start in its own ~secure web page.
> Although this would be unacceptable for some web sites, it may be
> acceptable for others.
>
This is absolutely correct but it is accidental behaviour... What
happens is:
- a user requests either SSL site
- the server gets only the IP address and port 443 (no hostname since
HTTP hasn't started yet) so it goes to the first VH which matches the IP
& port and takes the certificate from there.
- Now SSL is established (symmetric session keys are exchanged)
- so subsequent requests are handled like HTTP and virtual hosting
"works".
As you point out, at least one of the sites has to have a domain-name
which doesn't match the certificate which will lead to warnings in the
browser. The transfers will be encrypted, however.
This might be OK for some users who run a few related sites but it is
not a general solution for a web-hoster running many unrelated sites.
You can't authenticate the site if it uses another site's certificate
which makes e-commerce a bit tricky... (would you send your credit card
number to Amazon if your browser was warning you that the certificate
actually belonged to Fred Bloggs?)
If anyone does want to use this technique, remember to put the VH
containing the certificate FIRST in httpd.conf because that is the only
one that apache will look in for the certificate.
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
