[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Security Help
- Subject: Re: [cobalt-users] Security Help
- From: "storage@xxxxxxxxxxxxx" <storage@xxxxxxxxxx>
- Date: Sun Feb 25 17:12:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> I am about 99.9% sure that you CAN have other non-ssl sites on the same IP
> address as an SSL site. However, don't take that as gospel.
>
Take it as gospel. This is more to do with the way HTTPS works than anything
else. HTTPS can't use name-based virtual hosting because it needs to bind to
a single IP address. This is because the connections are negotiated in a
different way to HTTP - the server and client need to "shake hands", decide
on a cipher to use, check certificates, etc. All this is done at a lower
level than HTTP, so HTTPS needs to rely on the IP address as a "marker" for
the correct VirtualHost. Whereas HTTP can do as it damn well pleases,
including binding to an IP address used by HTTPS (the "transactions" are
completely separated from each other - HTTP doesn't know what HTTP is doing
and vice-versa). The upshot of that (really bad explanation) is that you can
point as many HTTP VirtualHost's as you like (there are limits of course) to
one IP address, but each HTTPS host has to have a unique IP address.
Have a look at the mod_ssl FAQ if you have any doubts. And a search on the
mod_ssl and Apache-SSL mailing lists will produce even better plain english
explanations.
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC46
Why can't I use SSL with name-based/non-IP-based virtual hosts?
The reason is very technical. Actually it's some sort of a chicken and egg
problem: The SSL protocol layer stays below the HTTP protocol layer and
encapsulates HTTP. When an SSL connection (HTTPS) is established
Apache/mod_ssl has to negotiate the SSL protocol parameters with the client.
For this mod_ssl has to consult the configuration of the virtual server (for
instance it has to look for the cipher suite, the server certificate, etc.).
But in order to dispatch to the correct virtual server Apache has to know the
Host HTTP header field. For this the HTTP request header has to be read. This
cannot be done before the SSL handshake is finished. But the information is
already needed at the SSL handshake phase. Bingo!
adam