Jan,
What is the host name (common name) in the certificates ???
I suspect you have used *.mydomain.dom - correct ???
If so, then it is quite simple
1/. browser looks up DNS and gets IP,
2/. browser connects to IP port 443,
3/. apache provides FIRST certificate (which has CN=*.mydomain.dom - which
matches BOTH host1 & host2)
4/. browser and apache secure the connection
5/. browser send HTTP request over the secured channel
6/. apache uses the HTTP request to send to appropriate v-host..
7/. all APPEARS to work fine..
but NOTE!!! - if the certificate of the FIRST v-host does not match the DNS
name that the browser is requesting, the browser will generate an
error/popup indicating the names do not match... Of course, if you hit
simpy hit OK, the browser and apache will still secure the connection -
using the FIRST certificate found..
What you have 'can' work ok PROVIDED ALL the v-hosts have the same domain
name (only changing the host part) and you use a wildcard certificate..
If you have DIFFERENT domain names, then this will ALWAYS produce an
error/popup as described..
Rgds
Jeff
----- Original Message -----
From: "Jan Vejvalka" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 17, 2001 6:33 PM
Subject: Re: mod_ssl and name-based virtual hosts
> Thanks for the reply.
>
> > If you're using the same SSL configuration and the same certificate for
> > both hosts (generally not an option in the real world because of the
> > security alert boxes it brings up in the browser), then you won't
_notice_
> > a problem with namevirtualhost. That's because you're masking the fact
> > that both of the vhosts are using the config of ther FIRST one. The
fact
> > that they're the same means it doesn't matter if they each use their own
> > or if they both pick the same one.
>
> They're not the same: they have their respective web trees.
> And the server correctly decides which tree to serve. Which
> means (in my view) that the server somehow decodes the HOST
> header field before it decides which v-host to call.
> Does it mean that the server is clever enough to know that all
> hosts have the same SSL configuration and to behave accordingly ?
> This, however, does not work if I use <VirtualHost 1.2.3.4:443>
> (the same IP address for all hosts) instead of <VirtualHost *:443>.
>
> Still a bit confused.
>
> Jan
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
