Re: [lvs-users] https connections

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] https connections
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Thu, 25 Oct 2007 17:57:31 -0700
Joseph Mack NA3T wrote:
> I don't suppose you know if you can run two https sites with 
> the same IP (like you can for http)?

Short answer: no.

Longer answer: no, because the certificate for a connection must be 
chosen before the TLS session is established (the TLS handshake requires 
the certificate and key); only then can the HTTP/1.1 Host: header be 
sent across. This means the certificate must be hard-coded in the config 
of the application providing the TLS environment (Apache, for example, 
puts it into the VirtualHost context).

Slightly different short answer: you can if you bind the VirtualHost to 
different ports (443 is IANA default for https but you can run it 
*anywhere you want*. Just don't expect the clients to use one that's not 
on port 443 :)

Very different answer: you can if you use TLS/SNI. See:
This extends the TLS handshake to include several extended attributes, 
among the server_name. Guess what that gets used for?

Unfortunately RFC3546 only got passed from draft to standard four and a 
half years ago, do don't go expecting widespread client and server 
support just yet ;-)

Pardon the glib comment; it just isn't very widely used yet, although an 
increasing range of browsers can support it. It's the server end that's 
dragging - have a Google around, and you'll see what I mean.


<Prev in Thread] Current Thread [Next in Thread>