according to this question all HTTP header when we are using HTTPS are encrypted(including request URI and Host header).
when browser want to browse a page on website that using HTTPS, it first create secure connection, then it sends HTTP request(encrypted) and server return the answer to browser. Now assume there are more than one secure website with more than one SSL certificate, so when server want to create secure connection how does it detect which certificate should be used because it doesn't know anything about request!!!
Asked
Active
Viewed 2,192 times
-1
-
2Please review [this SO question](http://stackoverflow.com/questions/5316513/is-ssl-possible-with-virtual-hosting-on-one-ip) and its answers. – President James K. Polk Aug 28 '11 at 14:55
3 Answers
2
Since the SSL channel is negotiated prior to the reception of the Host header, an HTTPS server can use at most one certificate per bound IP endpoint (IP address and port). In other words, to use two different SSL certificates, you will either need to bind each virtual host to a different port, or a different IP address.
cdhowie
- 158,093
- 24
- 286
- 300
-
Your statement is not correct - Server Name extension to TLS makes such requirements obsolete. – Eugene Mayevski 'Callback Aug 29 '11 at 15:10
-
To my knowledge, support for that extension is not yet in widespread deployment. – cdhowie Aug 29 '11 at 15:28
-
All major browsers and almost all (if not all) TLS libraries support it. I believe, all major servers support it as well. – Eugene Mayevski 'Callback Aug 29 '11 at 15:31
1
Before TLS the server indeed didn't have a way to know certificate of which host it should present to the client and this caused problems.
In TLS there was a special extension named Server Name introduced (see RFC 3546), which lets the client tell the server, what host the client wants to connect to. Based on contents of this extension the server can present proper certificate. Of course, all of this requires that TLS and the extension itself are supported and used by both parties.
Eugene Mayevski 'Callback
- 45,135
- 8
- 71
- 121
-1
The basis of this is to provide a SSL key(set) for each virtual server.
In Apache, for example, it's relatively simple. Each shared site is likely in a <VirtualHost> directive. The SSL keys can be specified within that, and thus apply to that virtual host only.
Rough example:
<VirtualHost *:443>
ServerName server.com
SSLEngine on
SSLCertificateKeyFile /etc/ssl/server_com.key
SSLCertificateFile /etc/ssl/server_com.crt
SSLCertificateChainFile /etc/ssl/server_com.ca-bundle
The server will then use the specified keys for all requests directed to that site over HTTPS. Further details on the Apache site. Similar things should apply to most web servers that support a concept of virtual hosts.
You won't get any errors, as the certificate and domain name match up.
ssube
- 47,010
- 7
- 103
- 140
-
This will only work if each SSL virtual host binds to a different IP address or port. – cdhowie Aug 28 '11 at 08:54
-
1How can the server know which VirtualHost to apply if the headers are encrypted? (This is what the questioner is wondering about.) – Jeremy Aug 28 '11 at 08:55
-
@cdhowie I'm not sure about that, I know one of my shared hosting accounts worked just fine with a cert, as long as the domain matched. It was a shared IP, but how they had it set up in the background, I don't know. – ssube Aug 28 '11 at 08:56
-
@peachykeen: The only way that could work is if (1) it was not a shared IP, or (2) nobody else using the same shared IP wanted SSL. – cdhowie Aug 28 '11 at 08:57
-
@Jeremy Banks: The request has to be sent somewhere, to a domain and port and with a protocol specified. The server handles that like any other request, as far as I'm aware. I'm not familiar with the details of how HTTPS is handled, but I am pretty sure it works with shared hosts. – ssube Aug 28 '11 at 08:58
-
@cdhowie: What causes that requirement? Why can't the key be given in the virtual host and have different vhosts use different keys? Where is this limitation noted? I've never tried to set it up, but I have seen it done. – ssube Aug 28 '11 at 09:00
-
1@peachykeen: Because the HTTP `Host` request header is used to determine which virtual host to serve the request with, and the SSL channel is negotiated *before* the HTTP session begins -- the HTTP session happens inside of the encrypted channel. It is a chicken-and-egg problem: if you depend on the `Host` header for the SSL certificate data, you can't negotiate the SSL channel before receiving the HTTP headers. But you can't receive the HTTP headers until the SSL channel is negotiated. Therefore, the HTTP server *must* select an SSL certificate *before* it knows what virtual host to use. – cdhowie Aug 28 '11 at 09:03