Version 14 (modified by mitty, 14 years ago) (diff)


Name-based VirtualHost with SSL

  • 名前ベースのバーチャルホストで複数ドメインにSSLを割り当てることは可能か?
    • 本質的な問題
      HTTP プロトコルと SSL の原理を考えてみても不可能なことは明らかですね。
      ネームベースのバーチャルホストは、HTTP リクエストヘッダに含まれる「Host」を参照 して
      SSL 接続の場合、HTTP リクエストヘッダは暗号化されており、
  • Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
    • It is possible, but only if using a 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. This is because it requires a feature that only the most recent revisions of the SSL specification added, called Server Name Indication (SNI).
    • The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request did not contain any Host: field, the server had no way to decide which SSL virtual host to use. Usually, it just used the first one it found which matched the port and IP address specified.
  • ただし、全てのVirtualHostで同じワイルドカード証明書を指定すれば可能