----- Original Message -----
From: "André Warnier" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Monday, September 22, 2008 10:57 AM
Subject: HTTPS and Virtual Hosts
Hi.
I'm not an expert at anything below, that's why I am asking.
I am also not looking for a very precise answer, just a rough summary.
The question :
As I remember from reading about this a while ago, there is/was a
fundamental incompatibility between the HTTP Virtual Host mechanism, and
HTTPS/SSL, in the sense that there is some egg-and-chicken problem
involved, which roughly goes like this :
- the client connects to the host and requests an encrypted connection to
a certain hostname
- the host and client negociate the encryption (based or not on the name
of the host)
- on subsequent requests, the client sends the request encrypted,
including the "Host:" header that (acording to the HTTP protocol) should
indicate the name of the Virtual Host it wants to talk to
- the server should decode the request (including this "Host:" HTTP
header) in order to determine which Host the request is addressed to, but
it can't because it does not know which host it is yet, and thus cannot
decode the request
- we are thus stuck
Is the above, very roughly and approximatively still a valid explanation
of what happens, or is it totally wrong, or has something changed
in-between that I am unaware of ?
Thanks
--------------------------------------
Mmmmmmm yes... kinda
Andre check out the hand shake in SSL...
Keeping it very conceptual... the secure system between a browser and server
is owned by Verisign, or GoDaddy, or whatever CA.
And it is checking a few things...
Like the domain name used and the expiry date...
So when you buy a cert and give them www.andre.com
Thats it...
This is because the cert is pulled (checked) during the handshake... and
"host headers" only come later...
.... thats the official version of the story, but I actually cant see any
reason why the hand shake couldnt be extended to look at the incoming URL...
other than people would start doing server tricks and making extra free
certs ;)
I conclude... its more about biz, that it is about technology....
certificates are sold per domain... this is the real issue ;)
Its actually interesting, because when we were making the Pojo server, this
issue came up... especially because we want to give the company using the
system the ability to be a CA... so we dropped the domain check, and then
the only condition on the server is that the administrator knows the private
key...
... clearly a really crap biz model because one can use the certs on a
million servers... but an interesting thing happens...
... virtual host are NOT and issue
... Its secure on any port
Ha ha... its about the biz model.... I believe ;)
Hell they got to make money and it is beeeeeeeeeeeeeeeeeeg bucks... a local
chap made a cool 3 billion dollars out of his CA ;)
.... Yup... I think its about biz ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
