Hey all,
This is kinda neat. I'll forward the link when the proxy-crusher is actually
written.
--Joey
---------- Forwarded Message ----------
Subject: Re: OpenNIC Discuss: Working around proxies -- the smelly underside
of port 80
Date: Wed, 27 Mar 2002 01:06:05 -0500
From: user <user@host.com>
To: discuss@opennic.unrated.net
At 09:28 PM 3/26/2002 -0800, user@host.com wrote:
> >It is a shame that there isn't a way to combine name based hosting with
> >SSL, as I think that name based hosting is much more efficient in terms of
> >address space usage.
>
>Forgive me, but won't SSL work just fine with virtual hosting? The issue
>is just that a single certification will certify everything coming from
>the one IP address -- but it's not wholly (maybe just a little) unreasonable
>to think of certificates as being for ISPs rather than for particular
>virtual hosts.
Actually, certificates certify a common name, or host name, NOT an IP
address. I have successfully used the same cert on multiple physical
servers that were using DNS round robin load balancing.
I specified 'name based virtual hosting' has a problem, not virtual hosting
in general. SSL works fine if you are using IP/PORT based virtual hosting.
Here is the problem with name based virtual hosting and SSL:
The SSL connection is negotiated before the header information is sent, so
the HOST header that is the basis for HTTP 1.1 name based virtual hosting
hasn't come into play yet.
In Apache, if you have multiple name based SSL configuration entries on the
same IP/PORT, the certificate for the first host in the config is
used. That works fine if you are trying to connect to the first
server. If you try to connect to the second server, your browser will
complain that the common name on the certificate does not match the host
name of the URL you were trying to access. That complaint alone is enough
to scare most non-tech people away from trusting the page.
-user
######################################################################
This is the discussion list for the Open Network Information
Center. You can unsubscribe by sending an email containing the words
"unsubscribe discuss" in the body of the message to
"majordomo@opennic.glue" or "majordomo@opennic.unrated.net".
######################################################################
-------------------------------------------------------
-- Joey Kelly < Minister of the Gospel | Computer Networking Consultant > http://joeykelly.dhs.org "When Government fears the people, it's liberty. When people fear the Government, it's tyranny." -- Benjamin Franklin Ich möchte ein Berliner. ___________________ Nolug mailing list nolug@nolug.orgReceived on 03/28/02
This archive was generated by hypermail 2.2.0 : 12/19/08 EST