[LUNI] SSL virtual hosts on Apache

Keith T. Garner kgarner at kgarner.com
Mon Aug 12 09:16:01 CDT 2002 

On Sat, Aug 10, 2002 at 12:13:56, Lance Spitzner said:
> I've setup virtual hosts many times on Apache, however this
> is my first crack at doing it with SSL.  SSL is working fine
> on my system, but I can't get virtual SSL hosts to work.  Below
> is the SSL Virtual host config file.  However, when I connect
> to port 443, I get a 501 Error message, method not supported.
> The client is attempting to make an SSL connection to port 443,
> but appears that when apapche responds, it does not realize the
> connection is SSL, and is attempting cleartext connection, thus
> the 501 Not Supported error.
> 
> Words of wisdom?

Unfortunately, what you are trying to do won't work.  (I know, I've
tried before I understood all that was going on.)  The other mail that
said you had the SSLEngine was correct, but that's not the entire
story.

To fully understand this, we need to look at how name-based virtual
hosts work and how SSL works.

The name based virtual host part is easy, so I'll take care of that
first.  Part of HTTP/1.1 allows you to pass a Host header as part of
the header block.  Apache uses this header to "pass" the request on to
the proper virtual host.

Example (stripped down but still valid) http request:
     HEAD / HTTP/1.1
     Host: www.kgarner.com

Now that we understand the http part, lets look at the SSL part.  SSL
sits on top of TCP but (more or less) below the application layer of
http.  So, when you make a connection to port 443, the SSL layer gets
established, and then the HTTP layer after SSL is done.  By the time
you could tell the server that you'd like to go to a certain virtual
host its too late.

Is there a way around this?  Other then running multiple servers on 443
on multiple IPs, no.  However, you can do some creative work-arounds.
For example, a friend of mine set up https://secure.hisdomain.com/ and
when someone connections to http://www.otherdomain.com/ it redirects
them to https://secure.hisdomain.com/otherdomain/

In the long run, I'd like to see something like a STARTTLS command
similar to that which ESMTP and IMAP have.  With those, you connect as
plain text and then ask to switch to SSL via the STARTTLS command.
Ideally, what I'd like to see for name-based http would be you
connect, specify which host you'd like to talk to and STARTTLS and
then, once SSL is established, then the client sends its GET, HEAD or
POST.

This was my first post of the day and it was while I was drinking my
first coffee, so if I sound like a lunatic, I apologize.

Keith

-- 
   Keith T. Garner                                        kgarner at kgarner.com
   The whole problem with the world is that fools and fanatics are always so
 certain of themselves, and wiser people so full of doubts.  --Bertrand Russell

More information about the luni mailing list