You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by po...@apache.org on 2009/10/27 20:17:40 UTC
svn commit: r830297 - /httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml
Author: poirier
Date: Tue Oct 27 19:17:40 2009
New Revision: 830297
URL: http://svn.apache.org/viewvc?rev=830297&view=rev
Log:
Update the SSL FAQ with regard to Server Name Indication.
Modified:
httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml
Modified: httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml?rev=830297&r1=830296&r2=830297&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml Tue Oct 27 19:17:40 2009
@@ -663,7 +663,7 @@
error when connecting to my newly installed server?</a></li>
<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based
virtual hosts?</a></li>
-<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
+<li><a href="#vhosts2">Is it possible to use Name-Based Virtual
Hosting to identify different SSL virtual hosts?</a></li>
<li><a href="#comp">How do I get SSL compression working?</a></li>
<li><a href="#lockicon">When I use Basic Authentication over HTTPS
@@ -774,16 +774,24 @@
SSL, it seems natural to assume that the same method can be used to have
lots of different SSL virtual hosts on the same server.</p>
- <p>It comes as rather a shock to learn that it is impossible.</p>
+ <p>It is possible, but only if using a 2.2.12 or later web server,
+ built with 0.9.8j or later OpenSSL. This is because it requires a
+ feature that only the most recent revisions of the SSL
+ specification added, called Server Name Indication (SNI).</p>
<p>The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the SSL session is a separate
transaction, that takes place before the HTTP session has begun.
The server receives an SSL request on IP address X and port Y
- (usually 443). Since the SSL request does not contain any Host:
- field, the server has no way to decide which SSL virtual host to use.
- Usually, it will just use the first one it finds, which matches the
- port and IP address specified.</p>
+ (usually 443). Since the SSL request did not contain any Host:
+ field, the server had no way to decide which SSL virtual host to use.
+ Usually, it just used the first one it found which matched the
+ port and IP address specified.</p>
+
+ <p>If you are using a version of the web server and OpenSSL that
+ support SNI, though, and the client's browser also supports SNI,
+ then the hostname is included in the original SSL request, and the
+ web server can select the correct SSL virtual host.</p>
<p>You can, of course, use Name-Based Virtual Hosting to identify many
non-SSL virtual hosts (all on port 80, for example) and then