D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Simpler Apache Virtual Hosts + SSL?

 

Simon Waters wrote:

> You need an IP address per certificate, as the certificate is the first
> thing sent down the line when an https connection is made. This is a sad
> hangover from the days before name based virtual hosting, and why we
> still get away with charging extra if you want hosting with its own IP
> address.

It's also possible to use a different port on the same IP address for
different SSL-enabled sites -- the important bit is that the webserver
can uniquely identify which site a client is connecting to (in order to
correctly process the request) when it isn't in a position to decrypt
the request itself.

I can't think of any other way to achieve that without exposing some of
the request details, which is what HTTPS is trying to avoid in the first
place.  OTOH I have a nagging doubt that exposing the Host header would
be an issue, given that if an attacker knew the ip address a client was
connecting to, they could generate an HTTPS request to that IP address
for any old hostname and see what host the certificate was for.  I need
to think about that more thoroughly though -- right now I'm rather more
concerned with the cold water tank leaking in my loft :(

James

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html