[ale] Many ssl certs, one IP...Linux vs Win question

Thu Mar 7 15:10:06 EST 2002

FYI - From MicroShaft
-jt

IIS: HTTP 1.1 Host Headers Not Supported When Using SSL (Q187504)

------------------------------------------------------------------------
--------
The information in this article applies to:

Microsoft Internet Information Server 4.0 
Microsoft Internet Information Services version 5.0 

------------------------------------------------------------------------
--------

SUMMARY
When you use Secure Sockets Layer (SSL), HTTP 1.1 Host Headers will
not
function. This is because Host Headers are included in the encrypted
request. 

MORE INFORMATION
When a Web server is configured to use SSL, Microsoft Internet
Information Server (IIS) must determine which certificate to use. IIS
4.0 supports multiple Web servers on a single server, so it is
feasible
to have multiple certificates loaded. Only one certificate will be
used
with a given Web server. 

Internet Information Server version 4.0 allows a server to host
multiple
Web sites. This is achieved by any of the following: 

Using different IP addresses, but the same port number 

Using the same IP address, but different port numbers 

Using the same IP address and port number, but using HTTP 1.1 Host
Headers 

Host Headers allow the server to determine which Web server to use in
the event the IP address or port number are the same and are part of
the
HTTP 1.1 protocol. This information is included as part of the request
header sent by the browser to the server. 

When a request comes to the server using SSL, IIS looks in its
configuration store to determine which certificate to use. This is
performed by doing a lookup on the IP/Port combination. When there are
multiple Web servers on a computer that all have the same IP address
and
port number configured to use Host Headers, the normal progression of
events is to look at the Host Header to determine which Web server to
use. However, the client request is still encrypted using SSL.
Therefore, the header is encrypted, and IIS cannot determine which
server certificate to use nor which Web server to communicate with (as
it could be one of many).

James Taylor
The East Cobb Group,Inc
678-560-9702
james.taylor at eastcobbgroup.com

>>> <jenn at colormaria.com> 03/06/02 04:59PM >>>
Our new VP of Operations maintains that he is running many different
SSL
Certificates on IIS with a single IP.

I maintain that apache and all the literature I've read states that
the
HTTPS protocol renders that impossible, and I can't make apache do
name-based virtual hosting for https.  

Am I misunderstanding?  Can someone help here?  We've got an apache
server
with name-based virtual hosting.  I can figure out the IP-based ssl
virtual
hosting, but I keep reading that name based is impossible.  Is it
really
possible with IIS??

Please help?  I've read devshed, apache+ssl help, and I just keep
thinking I
must be misunderstanding what I'm reading, or the VPO is
misunderstanding
what he's telling me.

TIA, again and as always
jenn

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems
should be 
sent to listmaster at ale dot org.

BEGIN:VCARD
VERSION:2.1
X-GWTYPE:USER
FN:James Taylor
TEL;WORK:678-560-9702
ORG:The East Cobb Group;marchFIRST
TEL;PREF;FAX:678-560-2159
EMAIL;WORK;PREF;NGW:jtaylor at fantasylane.net
N:Taylor;James
ADR;INTL;WORK;PARCEL;POSTAL:;;3710 Cherokee Place; Marietta; Ga;30067; USA
LABEL;INTL;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:James Taylor=0A=
3710 Cherokee Place=0A=
 Marietta,  Ga  30067=0A=
 USA
LABEL;DOM;WORK;PARCEL;POSTAL;ENCODING=QUOTED-PRINTABLE:James Taylor=0A=
3710 Cherokee Place=0A=
 Marietta,  Ga  30067
TEL;HOME: 770-578-9028
TEL;CELL: 678-358-8605
END:VCARD

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.