[users@httpd] Possible to use pseudo-name based SSL-connections with many SSL hosts in the background?

[Carsten Aulbert <ca...@aei.mpg.de>]

Hi all,

Usually it's not possible to use name-based virtual hosts for SSL
connections since the well known chicken-egg problem (at least if I
understood the FAQ correctly). My question would be if there is some way
of "emulating" this if one has a server which uses virtualization to run
different hosts (or a server running SSL-aware hosts no different ports).

Imagine this server having two external non-RFC1918 IPs and a large
number of internal RFC1918 IPs, however no access to change the DNS for
differently named-hosts for the outside world.

Is there a tricky way to use rewriting, ProxyPass or whatever to get
into a situation where one can use "true" SSL sessions with different
host certificates, e.g.

https://www.server/
https://webmail.server/
https://wiki.server/

[...]

Any pointers are welcomes as this must have been discussed before but I
failed to find anything really hitting the nail on the head (except
maybe this one which is still have to try out

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

)

Cheers

Carsten

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible to use pseudo-name based SSL-connections with many SSL hosts in the background?

[Peter Schober <pe...@univie.ac.at>]

* Carsten Aulbert <ca...@aei.mpg.de> [2009-01-18 18:35]:
> Krist van Besien schrieb:
> > The problem is that you are trying to work around a problem in the
> > protocol. It is not a limitation of apache that you can't use
> > namebased virtualhosts with ssl, it's a limitation in the protocol,
> > and you will encounter this limitation regardless of what you choose
> > to use to receive the SSL connection.
> 
> Yes, that's right, so it seems the RFC extension openssl0.9.9(?) and
> gnutls implement are the suggested "workarounds" to use?

  openssl 0.9.8j configured with enable-tlsext
+ patched mod_ssl https://issues.apache.org/bugzilla/show_bug.cgi?id=34607
= no mod_gnutls necessary

cheers,
-peter

-- 
peter.schober@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible to use pseudo-name based SSL-connections with many SSL hosts in the background?

[Carsten Aulbert <ca...@aei.mpg.de>]

Hi Krist,

Krist van Besien schrieb:
> The problem is that you are trying to work around a problem in the
> protocol. It is not a limitation of apache that you can't use
> namebased virtualhosts with ssl, it's a limitation in the protocol,
> and you will encounter this limitation regardless of what you choose
> to use to receive the SSL connection.

Yes, that's right, so it seems the RFC extension openssl0.9.9(?) and
gnutls implement are the suggested "workarounds" to use?

Cheers

Carsten

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible to use pseudo-name based SSL-connections with many SSL hosts in the background?

[Krist van Besien <kr...@gmail.com>]

On Sun, Jan 18, 2009 at 4:59 PM, Carsten Aulbert
<ca...@aei.mpg.de> wrote:
> Hi all,
>
> Usually it's not possible to use name-based virtual hosts for SSL
> connections since the well known chicken-egg problem (at least if I
> understood the FAQ correctly). My question would be if there is some way
> of "emulating" this if one has a server which uses virtualization to run
> different hosts (or a server running SSL-aware hosts no different ports).

The problem is that you are trying to work around a problem in the
protocol. It is not a limitation of apache that you can't use
namebased virtualhosts with ssl, it's a limitation in the protocol,
and you will encounter this limitation regardless of what you choose
to use to receive the SSL connection.

Whatever it is you use to accept SSL connections with has to decide
which certificate to use, when a connection request arrives. And at
the moment the request arrives all that is know is the IP and port the
other party wants to connect with. SSL certificate are name based.
So unless you have a 1:1 relation between hostnames and ip adresses
you cannot offer whatever it is that you terminate ssl at a way to
find out what the right ssl certificate is.

Krist

-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org