LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: https sharing ip but not certificate

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: https sharing ip but not certificate
From: "Jacob Coby" <jcoby@xxxxxxxxxxxxxxx>
Date: Wed, 26 Feb 2003 16:49:41 -0500
> hi,
>
> how would you run two virtual domains in apache (can be 2 vservers) with
> diferent certificates, but just one ip address?
>
> is it _possible_ to create a module for ktcpvs which transparently handle
> ssl, parse host request and redirect https request to the right apache?
how?
> (don't know about ssl internals)
>
> is it easier/lighter in userspace? something hidden in apache?

It is impossible to share an ip address across multiple https domains on the
standard port.

Why?  Because the HTTP Host header is encapsulated inside the SSL session,
and apache (or anything else) can't figure out which SSL cert to use, until
AFTER decoding the session.  But, to decode the session, it must first send
the cert to the client.

Catch-22.

So, to use multiple https domains, you'll have to either differenciate them
by IP and/or by port.

-Jacob

<Prev in Thread] Current Thread [Next in Thread>