Re: SSL virtualhosting with apache-ssl w/multiple certs

[Tim Dijkstra <newsuser@famdijkstra.org>]

On Thu, 22 Aug 2002 23:28:13 -0700 (PDT)
"nate" <debian-user@aphroland.org> wrote:

> I thought this was possible, maybe it's not though.
> 
> I have a few SSL sites running as virtual hosts on my
> system, and I want to stick to using only 1 of my available
> IP addresses for them.
> 
> The issue is apache-ssl seems to use only the first cert it
> finds, when I load it, it says it is loading the different
> certs but when I access the different sites they are all using
> the same cert.
> 
> I would like to have more proper certificates by having the
> hostname for each site in it's own cert, but to avoid too
> many SSL complaints from the browsers I'm forced to use
> "*" as the hostname, that way all the hosts work without
> complaint.
> 
> Is doing the above possible without using seperate IPs
> for each site, or even seperate ports for each server?
> 
It is not possible without use of separate IP+port combinations. For if
you use one IP+port the server has no way to know the virtual hostname. 

The header which identifies the virtual hostname is send via the http
connection, which can only be initiated *after* ssl has started. In
setting up the ssl connection the server has to choose what cert to use,
but the server doesn't know the name yet: so there's your problem...

So you need to map info that is available at 'ssl connection time',
namely IP+port, to a virtual hostname. So there are two solutions. Use
separate IP's with the same port number or (and that's what I did) use
separate port numbers with the same IP. (different IP's and different
ports is of course also OK, that makes three solutions ;)


grts Tim