[49929] in North American Network Operators' Group
Re: Question regarding web hosting ip addressing
daemon@ATHENA.MIT.EDU (David Terrell)
Fri Jul 12 16:23:19 2002
Date: Fri, 12 Jul 2002 13:22:48 -0700
From: David Terrell <dbt@meat.net>
To: Scott Francis <darkuncle@darkuncle.net>,
Tim Kramer <kramert@mlrnoc.navy.mil>, nanog@merit.edu
Reply-To: David Terrell <dbt@meat.net>
In-Reply-To: <20020712141735.GA61885@darkuncle.net>; from darkuncle@darkuncle.net on Fri, Jul 12, 2002 at 07:17:35AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Jul 12, 2002 at 07:17:35AM -0700, Scott Francis wrote:
> On Fri, Jul 12, 2002 at 08:25:25AM -0400, kramert@mlrnoc.navy.mil said:
> > Odd. I've run multiple "https:" sites on one IP. The browser
> > will complain about the certificate but you can always have
> > a different certificate for each site while using one IP address.
> > (Correct me if I'm wrong!)
You're wrong. :) The SSL exchange happens before the HTTP protocol over
SSL can begin, and so the server has no idea which cert to send; or more
practically, just has one cert configured per (host,port).
There is a defined mechanism to do HTTPS over port 80 using a mechanism
called Upgrade and inband TLS. This will make it possible to do name
based vhosts and encryption, because you provide a Host: header along
with the Upgrade: TLS/1.0 header.
> According to http://httpd.apache.org/docs/vhosts/name-based.html (thanks
> Gerald), name-based hosting cannot be used with SSL due to the nature of the
> SSL protocol.
Yep.
--
David Terrell | "It is helpful to indicate in advance whether the
Nebcorp Prime Minister | printers will be supporting standard A4 paper or
dbt@meat.net | the strange but patriotic American 8.5x11 inch
http://wwn.nebcorp.com/ | paper." - draft-ymbk-termroom-op-06
