You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ma...@apache.org on 2003/01/03 18:57:40 UTC
cvs commit: httpd-2.0/docs/manual/ssl ssl_faq.html.en ssl_faq.xml
mads 2003/01/03 09:57:40
Modified: docs/manual/ssl ssl_faq.html.en ssl_faq.xml
Log:
Removing obsolete entry.(me)
Adding alternative description about name-based vhosts and ssl
(written by Owen Boyle)
Revision Changes Path
1.10 +30 -11 httpd-2.0/docs/manual/ssl/ssl_faq.html.en
Index: ssl_faq.html.en
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/ssl/ssl_faq.html.en,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- ssl_faq.html.en 23 Dec 2002 16:43:03 -0000 1.9
+++ ssl_faq.html.en 3 Jan 2003 17:57:39 -0000 1.10
@@ -147,7 +147,6 @@
<li><a href="#coredump">Core dumps for HTTPS requests?</a></li>
<li><a href="#mutex">Permission problem on SSLMutex</a></li>
<li><a href="#mm">Shared memory and process size?</a></li>
-<li><a href="#mmpath">Shared memory and pathname?</a></li>
<li><a href="#entropy">PRNG and not enough entropy?</a></li>
</ul>
@@ -186,16 +185,6 @@
instance and not once per Apache server process.</p>
-<h3><a name="mmpath" id="mmpath">Apache creates files in a directory declared by the internal
-EAPI_MM_CORE_PATH define. Is there a way to override the path using a
-configuration directive?</a></h3>
-<p>No, there is not configuration directive, because for technical
- bootstrapping reasons, a directive not possible at all. Instead
- use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
- ./configure ...</code>'' when building Apache or use option
- <code>-d</code> when starting <code>httpd</code>.</p>
-
-
<h3><a name="entropy" id="entropy">When I fire up the server, mod_ssl stops with the error
"Failed to generate temporary 512 bit RSA private key", why?</a></h3>
<p>Cryptographic software needs a source of unpredictable data
@@ -687,6 +676,7 @@
<li><a href="#adh">How to use Anonymous-DH ciphers</a></li>
<li><a href="#sharedciphers">Why do I get 'no shared ciphers'?</a></li>
<li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
+<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?</a></li>
<li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
<li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
<li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
@@ -774,6 +764,35 @@
HTTP request header has to be read. This cannot be done before the SSL
handshake is finished. But the information is already needed at the SSL
handshake phase. Bingo!</p>
+
+
+<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based Virtual Hosting to identify
+different SSL virtual hosts?</a></h3>
+ <p>Name-Based Virtual Hosting is a very popular method of identifying
+ different virtual = hosts. It allows you to use the same IP address and
+ the same port number for many different sites. When people move on to
+ SSL, it seems natural to assume that the same method can be used to have
+ lots of different SSL virtual hosts on the same server.</p>
+
+ <p>It comes as rather a shock to learn that it is impossible.</p>
+
+ <p>The reason is that the SSL protocol is a separate layer which
+ encapsulates the HTTP protocol. So the problem is that the SSL session
+ is a separate transaction that takes place before the HTTP session even
+ starts. Therefore all the server receives is an SSL request on IP
+ address X and port Y (usually 443). Since the SSL request does not
+ contain any Host: field, the server has no way to decide which SSL
+ virtual host to use. Usually, it will just use the first one it finds
+ that matches the port and IP address.</p>
+
+ <p>You can, of course, use Name-Based Virtual Hosting to identify many
+ non-SSL virtual hosts (all on port 80, for example) and then you can
+ have no more than 1 SSL virtual host (on port 443). But if you do this,
+ you must make sure to put the non-SSL port number on the NameVirtualHost
+ directive, e.g.</p>
+
+ <div class="example"><p>NameVirtualHost 192.168.1.1:80</p><p>Other workaround solutions are: </p><p>Use separate IP addresses for different SSL hosts.
+ Use different port numbers for different SSL hosts.</p></div>
<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
1.8 +36 -11 httpd-2.0/docs/manual/ssl/ssl_faq.xml
Index: ssl_faq.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/ssl/ssl_faq.xml,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- ssl_faq.xml 23 Dec 2002 16:43:03 -0000 1.7
+++ ssl_faq.xml 3 Jan 2003 17:57:39 -0000 1.8
@@ -139,7 +139,6 @@
<li><a href="#coredump">Core dumps for HTTPS requests?</a></li>
<li><a href="#mutex">Permission problem on SSLMutex</a></li>
<li><a href="#mm">Shared memory and process size?</a></li>
-<li><a href="#mmpath">Shared memory and pathname?</a></li>
<li><a href="#entropy">PRNG and not enough entropy?</a></li>
</ul>
@@ -178,16 +177,6 @@
instance and not once per Apache server process.</p>
</section>
-<section id="mmpath"><title>Apache creates files in a directory declared by the internal
-EAPI_MM_CORE_PATH define. Is there a way to override the path using a
-configuration directive?</title>
-<p>No, there is not configuration directive, because for technical
- bootstrapping reasons, a directive not possible at all. Instead
- use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
- ./configure ...</code>'' when building Apache or use option
- <code>-d</code> when starting <code>httpd</code>.</p>
-</section>
-
<section id="entropy"><title>When I fire up the server, mod_ssl stops with the error
"Failed to generate temporary 512 bit RSA private key", why?</title>
<p>Cryptographic software needs a source of unpredictable data
@@ -683,6 +672,7 @@
<li><a href="#adh">How to use Anonymous-DH ciphers</a></li>
<li><a href="#sharedciphers">Why do I get 'no shared ciphers'?</a></li>
<li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
+<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?</a></li>
<li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
<li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
<li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
@@ -770,6 +760,41 @@
HTTP request header has to be read. This cannot be done before the SSL
handshake is finished. But the information is already needed at the SSL
handshake phase. Bingo!</p>
+</section>
+
+<section id="vhosts2"><title>Why is it not possible to use Name-Based Virtual Hosting to identify
+different SSL virtual hosts?</title>
+ <p>Name-Based Virtual Hosting is a very popular method of identifying
+ different virtual = hosts. It allows you to use the same IP address and
+ the same port number for many different sites. When people move on to
+ SSL, it seems natural to assume that the same method can be used to have
+ lots of different SSL virtual hosts on the same server.</p>
+
+ <p>It comes as rather a shock to learn that it is impossible.</p>
+
+ <p>The reason is that the SSL protocol is a separate layer which
+ encapsulates the HTTP protocol. So the problem is that the SSL session
+ is a separate transaction that takes place before the HTTP session even
+ starts. Therefore all the server receives is an SSL request on IP
+ address X and port Y (usually 443). Since the SSL request does not
+ contain any Host: field, the server has no way to decide which SSL
+ virtual host to use. Usually, it will just use the first one it finds
+ that matches the port and IP address.</p>
+
+ <p>You can, of course, use Name-Based Virtual Hosting to identify many
+ non-SSL virtual hosts (all on port 80, for example) and then you can
+ have no more than 1 SSL virtual host (on port 443). But if you do this,
+ you must make sure to put the non-SSL port number on the NameVirtualHost
+ directive, e.g.</p>
+
+ <example>
+ <p>NameVirtualHost 192.168.1.1:80</p>
+
+ <p>Other workaround solutions are: </p>
+
+ <p>Use separate IP addresses for different SSL hosts.
+ Use different port numbers for different SSL hosts.</p>
+ </example>
</section>
<section id="lockicon"><title>When I use Basic Authentication over HTTPS the lock icon in Netscape browsers