On Mon, Jan 24, 2011 at 9:13 AM, Martin Kuba <ma...@ics.muni.cz> wrote: > Hi Wolfgang, > > there is a chicken-and-egg problem with name-based virtual hosts > and SSL. The SSL connection is established *before* HTTP communication, > so the SSL server does not know what Host: HTTP header will be sent > in the moment it decides which SSL server certificate to send. > > So for SSL HTTP servers, each server needs its own IP address, > virtual named-based hosts are not possible. > > There is a solution for this problem, it is a change in the SSL protocol > which allows to send host name in the SSL handshake. However it is not > supported by all web browsers. > > For details see > http://en.wikipedia.org/wiki/Server_Name_Indication#The_fix > > In a nutshell, if you want to support MSIE on Windows XP, you cannot use it. > > I solve this by using one IP address for all SSL servers with the same DNS > domain owner, > and a SSL server certificate that has all the server names as > subjectAltNames. > That works for all browsers, but it is some hassle to create a new > certificate > for all names each time a new SSL server is added. > > Cheers > > Martin >
I do a similar thing, except I now always get wildcard certificates, eg for *.foobar.com. Then, I can host all foobar.com subdomains from one IP on SSL, no SNI support required neither in browser nor server. Wildcard certs can be a little bit more expensive.. Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
