Bob Proulx:
> Boyd Stephen Smith Jr. wrote:
>
>> ... Apache (from upstream) has supported it for a while and I've had
>> it in production (system based on Ubuntu Maverick) for a number of
>> months.
>
> Re: NameVirtualHost *:443
>
> This is good to hear but if so then how do they pull that off? I
> thought for https that the certificate negotiation was tied to the IP
> address? No?
The problem is/was that the TLS handshake was initiated before the HTTP
request was sent. Since only the request included the Host-Header, the
web server couldn't show a certificate for the requested domain name.
A better explanation can be found here:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
In order to fix this problem, the TLS protocol had to be extended:
http://www.ietf.org/rfc/rfc3546.txt
I only read the introduction, but it appears that the client may now
simply send the relevant hostname before the server presents its
certificate.
Modern browsers appear to support that TLS extension:
https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication#Browsers
When using this, you run into problems with IE<7, though… Personally, I
have never seen this in production.
J.
--
I wear a lot of leather but would never wear fur.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
Attachment:
signature.asc
Description: Digital signature