diff options
| author | Daniel Earl Poirier <poirier@apache.org> | 2009-10-27 20:19:35 +0100 |
|---|---|---|
| committer | Daniel Earl Poirier <poirier@apache.org> | 2009-10-27 20:19:35 +0100 |
| commit | 82077be6b7c3dd01354d7ca99aad492d5c655233 (patch) | |
| tree | e1b64f80b07a385145c9bf43883529c0a93c5197 /docs/manual/ssl/ssl_faq.html.en | |
| parent | Update the SSL FAQ with regard to Server Name Indication. (diff) | |
| download | apache2-82077be6b7c3dd01354d7ca99aad492d5c655233.tar.xz apache2-82077be6b7c3dd01354d7ca99aad492d5c655233.zip | |
Update transforms
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@830301 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/ssl/ssl_faq.html.en')
| -rw-r--r-- | docs/manual/ssl/ssl_faq.html.en | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en index f07dc5d580..4ffdf78517 100644 --- a/docs/manual/ssl/ssl_faq.html.en +++ b/docs/manual/ssl/ssl_faq.html.en @@ -624,7 +624,7 @@ trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></li> error when connecting to my newly installed server?</a></li> <li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></li> -<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual +<li><a href="#vhosts2">Is it possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?</a></li> <li><a href="#comp">How do I get SSL compression working?</a></li> <li><a href="#lockicon">When I use Basic Authentication over HTTPS @@ -726,7 +726,7 @@ error when connecting to my newly installed server?</a></h3> complete the SSL handshake phase. Bingo!</p> -<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based +<h3><a name="vhosts2" id="vhosts2">Is it possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?</a></h3> <p>Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and @@ -734,16 +734,24 @@ Virtual Hosting to identify different SSL virtual hosts?</a></h3> SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.</p> - <p>It comes as rather a shock to learn that it is impossible.</p> + <p>It is possible, but only if using a 2.2.12 or later web server, + built with 0.9.8j or later OpenSSL. This is because it requires a + feature that only the most recent revisions of the SSL + specification added, called Server Name Indication (SNI).</p> <p>The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y - (usually 443). Since the SSL request does not contain any Host: - field, the server has no way to decide which SSL virtual host to use. - Usually, it will just use the first one it finds, which matches the - port and IP address specified.</p> + (usually 443). Since the SSL request did not contain any Host: + field, the server had no way to decide which SSL virtual host to use. + Usually, it just used the first one it found which matched the + port and IP address specified.</p> + + <p>If you are using a version of the web server and OpenSSL that + support SNI, though, and the client's browser also supports SNI, + then the hostname is included in the original SSL request, and the + web server can select the correct SSL virtual host.</p> <p>You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then |