From owner-freebsd-isp  Wed Apr 10 17: 7:52 2002
Delivered-To: freebsd-isp@freebsd.org
Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10])
	by hub.freebsd.org (Postfix) with ESMTP id ADCB637B404
	for <freebsd-isp@FreeBSD.ORG>; Wed, 10 Apr 2002 17:07:44 -0700 (PDT)
Received: by inet03.citec.qld.gov.au; id KAA00763; Thu, 11 Apr 2002 10:07:40 +1000 (EST)
Received: from citecub.citec.qld.gov.au( 131.242.4.98) by inet03.citec.qld.gov.au via smap (V2.0)
	id xma000497; Thu, 11 Apr 02 10:07:33 +1000
Received: from guru.citec.qld.gov.au by citecub.citec.qld.gov.au (SMI-8.6/SMI-SVR4)
	id KAA15095; Thu, 11 Apr 2002 10:07:30 +1000
Received: from localhost (sgcccdc@localhost)
	by guru.citec.qld.gov.au (8.9.3/8.9.3) with ESMTP id KAA08169;
	Thu, 11 Apr 2002 10:07:28 +1000 (EST)
	(envelope-from sgcccdc@citec.qld.gov.au)
X-Authentication-Warning: guru.citec.qld.gov.au: sgcccdc owned process doing -bs
Date: Thu, 11 Apr 2002 10:07:28 +1000 (EST)
From: Colin Campbell <sgcccdc@citec.qld.gov.au>
To: Chris Cook <ccook@tcworks.net>
Cc: Baris Simsek <simsek@bimel.com.tr>, <freebsd-isp@FreeBSD.ORG>
Subject: Re: VHost SSL
In-Reply-To: <3CB462E4.9A49AD38@tcworks.net>
Message-ID: <Pine.BSF.4.33.0204111004020.7674-100000@guru.citec.qld.gov.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-isp.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-isp>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-isp>
X-Loop: FreeBSD.org

Hi,

On Wed, 10 Apr 2002, Chris Cook wrote:

> You cannot use virtual hosts with SSL, each host must have their own IP
> address...

Correct. That's because there's a chicken-and-egg problem. VHOSTS work by
the HTTP request including a "Host:" header. The browser connects to the
IP address of the web server. The web server reads the HTTP headers and
discovers which VHOST is being accessed. It can then consult its config to
find where all the VHOST config data is.

With SSL you need to know which certificate to use to decode the HTTP
header so you can find which VHOST is being accessed. Clearly this is not
possible - you cannot decode the packet without knowing which VHOST's
certificate to use and you can't get the certificate without decoding the
packet.

Just thought I'd try and explain why.

Colin


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message