The Pound proxy web page says that "one can not do named virtual hosts on HTTPS, because the protocol does not support it". This used to be true, but necessary specification got ratified as standards track RFC in August 2006. Apprently it is not well known...
The RFC 4366 defines extensions mechanism on TLS, and few extensions. One of those is "Server Name Indication", whereby the TLS client tells the TLS server, which virtual server subsystem it is interested in. With that extension, the server can pick a certificate from among multiple possible certificates. The Apache HTTPS 2.2.12 (soon to be released) and 2.3 / 2.4 series have this TLS extension enabled in their HTTPS (TLS) codes. All you need is OpenSSL 0.9.8j. The specification for this was written 3 years ago, high time it gets implemented and deployed. Anybody familiar with the code interested in implementing this at Pound ? Related to this is TLS session cache. Running Pound proxy behind a load-balancer will permit sessions to spread over multiple server nodes in the Pound setup. This can have a penalty of requiring costly Diffie-Hellman setup of symmetric session keys every time a new connection is formed. One approach is to use Distcache, and Apache HTTPD supports it, but the distcache is not N-way redundant. Indeed it is obvious single point of failure. A separate project would be to make discache into fully redundant in-memory cache server to be usable within this kind of server clusters. If the session-cache does not respond within about 0.1 seconds, wait time approaches that of new DH handshake, and should be abandoned in favour of doing actual handshake, and then pushing the new data to session cache. Best Regards, Matti Aarnio, Helsinki -- To unsubscribe send an email with subject unsubscribe to po...@apsis.ch. Please contact ro...@apsis.ch for questions.
