Thanks Graham, Joost and Sander, I hadn't expected for Apache to need to
know which virtual host to use so early in the request process.
Cheers
Mike
From: Sander Temme <[EMAIL PROTECTED]>
Reply-To: dev@httpd.apache.org
To: dev@httpd.apache.org
Subject: Re: NameVirtualHosts & SSL
Date: Tue, 25 Oct 2005 11:34:40 -0700
Mike,
On Oct 25, 2005, at 10:43 AM, Kenevel wrote:
My question is why the server couldn't do some sort of reverse- lookup on
its
register of SSL certificates that are in use. Surely the server knows
which
certificate it is using to service the request (or else it wouldn't be
able
No, it doesn't. At the moment the SSL connection handshake occurs, the
server needs to present a certificate to the client. The client has
certain expectations of the Common Name (CN) field of the Distinguished
Name (DN) string embedded in the certificate, so it is important that the
server sends the correct certificate.
At this point in the handshake, the server simply doesn't know enough of
what the client wants, unless the client connects to a distinct IP address
and the server has a virtual host configured on that IP address.
Otherwise, the decision on which virtual host to send the request to is
made way too late.
to decrypt its contents) and hence work out which virtual host uses that
certificate? This approach means of course that each name-based virtual
host
would have to use a different certificate - but as those sites are more
than
likely on different domains the certificates would necessarily be
different.
There is an extension to the TLS ClientHello that allows the client to
indicate which servername it is trying to connect to: see http://
www.ietf.org/rfc/rfc3546.txt paragraph 3.1. However, I don't think mod_ssl
currently supports this. mod_gnutls may be closer, you may want to check
that out. Of course, until enough of your client base supports this
extension it is perfectly useless to you.
S.
--
[EMAIL PROTECTED] http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
<< smime.p7s >>
