Geoff Thorpe <[EMAIL PROTECTED]> writes:
> Actually, this is a problem with how *HTTPS* works - SSL (and TLS) are just
> channel-level encryption and/or authentication protocols, what you tunnel
> through them (and what semantic juggling you do with the peer-certificates, such
> as URL <--> CN comparisons) is up to you. HTTPS is just one common application
> of SSL/TLS, and in fact was specified retrospectively to try and qualify exactly
> what existing (unspecified) browser implementations were doing.
>
> There have been alternatives suggested by various people (including the person
> who backfitted the first HTTPS spec to what he saw running), but the chance of
> the browser-war participants getting involved is slim.
The fix that's currently winding it's way through the system
(slowly) is to include the dns_name of the server in the
SSL ClientHello. Microsoft, at least, has tentatively supported
it but I wouldn't hold your breath.
In any case, it will be years before enough browsers support
this extension to make it safe to convert your server to name
based virtual hosting.
-Ekr
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
