Virtual hosting (hosting multiple sites on the same IP address) became possible with HTTP/1.1 because it declares the “Host” header, which specifies which one of the (possibly) multiple sites hosted on the same IP address you would like to reach (a small side-effect is that when you use the IP address of a site, you might get a different site, since the web-server doesn’t know which one to pick).
However this wasn’t possible with SSL, because the certificate was sent before the headers and a certificate is specific for a site (at least the run-of-the mill ones), and the webserver didn’t know which certificate to pick. When I’ve heard on the SANS Daily Stormcast that the newest version of Apache included a way to do this, I was enthusiastic and intrigued at the same time, so I went looking and found the following thing:
- It is done by doing the initial communication in plaintext and then “upgrading” to TLS. I wonder just how much is in plaintext? (see the What’s new document – the mod_ssl section specifically)
- The official RFC for this is RFC 2817. The RFC specifies both methods for upgrading – before and after the actual request – so the devil will be in the
detailsimplementation - There is no browser support for this as of this moment, so it is pretty much useless (until IE + IIS starts supporting it is pretty much a cool option). But at least we have a reference implementation
Bonus article: The First Few Milliseconds of an HTTPS Connection
Picture taken from AMagill’s photostream with permission.
2 responses to “Virtually Hosted SSL – almost there”
Why can't people just agree to use SNI?!?
http://en.wikipedia.org/wiki/Server_Name_Indication
@olleB: wow, I didn't know about SNI. Thanks for the tip, it is very cool (and it already has browser support, including IE7!).
Thank you again for the great tip!