You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jerry Baker <je...@weirdness.com> on 2002/04/07 07:35:32 UTC
SSL with NameVirtualHosts?
I know that the docs say it's not possible, but is it theoretically
possible? It would be really nice to have this feature.
--
Jerry Baker
Re: SSL with NameVirtualHosts?
Posted by Daniel Lopez <da...@rawbyte.com>.
> > > > I know that the docs say it's not possible, but is it theoretically
> > > > possible?
> > >
> > > No. Not with SSL, at least.
> >
> > It is possible with HTTP/1.1, just not implemented
> > http://www.ietf.org/rfc/rfc2817.txt
>
> That's TLS, not SSL. ;)
TLS is SSL. Well, kind of :) it is a compromise name Microsoft and
Netscape agreed upon when standardizing SSL. Technically it is SSLv3 with a
few modifications. But the SSL name has stuck and people use it although
the correct expression would be SSL/TLS
Daniel
Re: SSL with NameVirtualHosts?
Posted by Cliff Woolley <jw...@virginia.edu>.
On Sat, 6 Apr 2002, Daniel Lopez wrote:
> > > I know that the docs say it's not possible, but is it theoretically
> > > possible?
> >
> > No. Not with SSL, at least.
>
> It is possible with HTTP/1.1, just not implemented
> http://www.ietf.org/rfc/rfc2817.txt
That's TLS, not SSL. ;)
--------------------------------------------------------------
Cliff Woolley
cliffwoolley@yahoo.com
Charlottesville, VA
Re: SSL with NameVirtualHosts?
Posted by Daniel Lopez <da...@rawbyte.com>.
It is possible with HTTP/1.1, just not implemented
http://www.ietf.org/rfc/rfc2817.txt
> > I know that the docs say it's not possible, but is it theoretically
> > possible?
>
> No. Not with SSL, at least.
>
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> --------------------------------------------------------------
> Cliff Woolley
> cliffwoolley@yahoo.com
> Charlottesville, VA
>
>
Re: SSL with NameVirtualHosts?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 11:35 PM 4/6/2002, you wrote:
>I know that the docs say it's not possible, but is it theoretically
>possible? It would be really nice to have this feature.
Obverse... it's physically possible. It isn't theoretically possible.
Client request: open SSL connection to server [no headers sent]
Server response: negotate SSL Session with a key, based on
no information other than the client ip/port or server listener.
Client response: complete SSL negotiation.
Then the client sends the headers; Host: hostname... but we
already negotiated the key of the wrong vhost.
RFC2817 "Upgrading to TLS Within HTTP/1.1" proposes the client
sends a plain text request with headers, requesting the server
upgrade to a TLS connection for a specific host. But no browser or
server that I'm aware of actually implements this new mechanism.
Yes - it would be terrific if Apache was the first implementation, but
we still need client support to have any impact.
So really, no, named virtual hosts today cannot be used with SSL.
The directives all work, but the key sent is based on the physical
port and/or the default vhost, not the Host: header. Sorry.
Bill
Re: SSL with NameVirtualHosts?
Posted by Jerry Baker <je...@weirdness.com>.
Cliff Woolley wrote:
>
> On Sat, 6 Apr 2002, Jerry Baker wrote:
>
> > I know that the docs say it's not possible, but is it theoretically
> > possible?
>
> No. Not with SSL, at least.
>
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> --------------------------------------------------------------
> Cliff Woolley
> cliffwoolley@yahoo.com
> Charlottesville, VA
Thanks for the response, but the FAQ is addressing a different situation
than what I had in mind.
Currently I have a couple of virtual hosts on my machine. They all work
fine. When I access the main server through https, it works fine, but
when I try to access one of the virtual hosts through https it doesn't
work.
Here's what happens:
I have two virtual hosts. I can go to http://bob and get a page that
says, "This is Bob!". I can go to http://frank and get a page that says,
"This is Frank!". No surpise yet -- it's the whole point of virtual
hosts. When I go to https://bob I get "This is Bob!" as expected, BUT
when I go to https://frank I still get "This is Bob!". This is the
situation that I was referring to.
In this case I don't see how the issue outlined in the FAQ is a problem
since there is no need to read any SSL configuration from a virtual host
config before having the Host: header. All the SSL config is in the main
conf, not in the virtual host containers.
--
Jerry Baker
Re: SSL with NameVirtualHosts?
Posted by Ryan Bloom <rb...@ntrnet.net>.
It is theoretically possible using the Upgrade header. However, to the
best of my knowledge, there are no browsers that support this yet. In
reality, implementing this feature should be trivial for a later version
of Apache 2.0.
Ryan
On Sun, 7 Apr 2002, Cliff Woolley wrote:
> On Sat, 6 Apr 2002, Jerry Baker wrote:
>
> > I know that the docs say it's not possible, but is it theoretically
> > possible?
>
> No. Not with SSL, at least.
>
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> --------------------------------------------------------------
> Cliff Woolley
> cliffwoolley@yahoo.com
> Charlottesville, VA
>
>
--
_______________________________________________________________________________
Ryan Bloom rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------
Re: SSL with NameVirtualHosts?
Posted by Cliff Woolley <jw...@virginia.edu>.
On Sat, 6 Apr 2002, Jerry Baker wrote:
> I know that the docs say it's not possible, but is it theoretically
> possible?
No. Not with SSL, at least.
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
--------------------------------------------------------------
Cliff Woolley
cliffwoolley@yahoo.com
Charlottesville, VA