Folks, ALL flavors of mod_ssl can do name based hosting, but it's entirely
irrelevant unless you use a wildcard certificate who's pattern matches all
of the domains hosted. Because the server and client handshake a specific
set of certificates LONG BEFORE the client ever sends the 'Host: hostname'
header. Multiple certificates for a single listener are not possible.
Apache 2.1 can do Upgrade: Connection, and handshake SSL after headers are
sent (therefore choosing the right certificate) but NONE of today's user
agents (clients) support this for gui-based browsers such as IE or Firefox.
The only user agents which do support it tend to be ssl libraries or various
http-based network attached devices, such as printers.
Note that http://foo.example.com/ is the syntax for non-SSL and connection
upgrade (also known as STARTTLS in ldap, or explicit ssl in ftp) connections,
while https://foo.example.com/ syntax is always ssl and will never support
virtual hosts.
The biggest problem is that you can't identify connection upgrade in the
scheme name - so there's no good user interface to help the user request SSL
upgrade where available and when desireable, and there's not a really good
way to reinforce to the user that their 'http://foo.example.com' site is
truly secure (except the little locky icon in the status bar). So GUI
browser developers have so far ignored this quandry.
Bill
Joost de Heer wrote:
NB - Remember that you can't do name-based VHs with SSL.
I think Apache 2.1 can.
You think wrong.
I do think it can do it too. Although the certificate of the first vhost
is always used, after the traffic is decrypted the vhosts act like normal
name based vhosts. If all your vhost-domains are in the same subdomain,
and you have a wildcard certificate for this subdomain, SSL name based
vhosting works.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
