Re: [users@httpd] Re: apache 2.2.13 ssl problem: wrong certificate being served

[Eric Covener <co...@gmail.com>]

> Can someone maybe, just a little bit, say something about what SNI might be,
> and/or point to some Apache doc related to it ?
> I feel (again) like some acronym passed me by.
> And yes, I'll go check that FAQ, but as of right now in Western Europe, it
> does not talk of SNI yet.

When a client issues a HTTP/1.1 requests, they supply the desired
Hostname in the Host: header.  Apache uses this to determine which
name-based vhost to use.

When a client does HTTP over SSL, and both sides don't do SNI, Apache
has to perform the full handshake using parameters available before
the HTTP Host header is available -- currently just the IP and Port
the connection is being handled on. Apache can pick the cert and
cipher settings from the right IP-based vhost, but can't think about
ServerName/ServerAlias.

When a client does HTTP over SSL and both sides use SNI, the clients
initial TLS handshake includes a string that indicates the requested
servers hostname (Server Name Indication).  A webserver and a security
library that understand this special extension can use it to select a
certificate/ciphers based on this very early information.

So net it's like the HTTP/1.1 Host: header but its stuffed into an
early handshake message, so the server can select handshake parameters
from name-based vhosts.


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org