[plug] Debugging apache-ssl virtualhost certificates
James Devenish
devenish at guild.uwa.edu.au
Fri Dec 31 19:28:43 WST 2004
In message <200412311915.35503.bob at fots.org.au>
on Fri, Dec 31, 2004 at 07:15:35PM +0800, bob wrote:
> > Do you realise that you cannot use name-based virtual hosts with SSL?
> It seems to me that doing something like this would be near the top of
> the feature request list...Probably something fundamentaly difficult in
> doing so that I'm unaware of :(.
Yeah. The problem is along the lines that the connection is encrypted,
so the server can't find out the desired virtual host name until it is
has performed decryption. But decryption can't take place until the
certificates are sorted. So...trying to have your certificates based
on virtual host names causes a circular dependency.
> I will look into these TLS upgrades.
What I was thinking is that most modern clients can use TLS instead of
SSL (TLS is an RFC-based protocol that 'supersedes' SSL and has done so
for a number of years). I thought there might be a way with TLS to start
out with an HTTP connection and then upgrade it to HTTPS with the host
name specified. But, "I haven't thought this one through..."
By the way, Bob, maybe there's a workaround for you (even if it is
unsightly): can you use different port numbers for each HTTPS virtual
host? E.g. site2 might be on port 444 instead of 443 (443 being the
default for HTTPS). Obviously all URLs for the site on port 444 would
need to be of the form https://hostname:444/welcome instead of
https://hostname/welcome
More information about the plug
mailing list