Re: SSL pages not found
From: Alun Jones [MS MVP - Security] (alun_at_texis.invalid)
Date: 05/12/04
- Next message: Michael J. Mooney: "Windows Authentication Expiration"
- Previous message: Ron L: "IISADMPWD Change Password requires secure site"
- In reply to: Bojidar Alexandrov: "Re: SSL pages not found"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 May 2004 19:35:37 GMT
In article <#M4Y8P$NEHA.3420@TK2MSFTNGP11.phx.gbl>, "Bojidar Alexandrov"
<bojo_do_not_spam@kodar.net> wrote:
>> which part ?
>
>"SSL won't work with host headers"
Perhaps it was a tad short, but the basic concept is sound.
HTTP over SSL requires that the client send a client_hello, to which the
server responds with its server_hello. After this exchange, and a few
others, the HTTP headers get sent.
Now, the server_hello contains the certificate identifying the server, and
the client_hello in SSL does not contain information requesting which
server's certificate to return.
Technically, it would be possible to create a certificate with an alternate
name specified with the names of each server, but good luck getting such a
certificate from any commercial CA - and you'd have to re-issue
(re-purchase) the certificate each time you added or removed a server.
That's not a realistic solution.
You could also have each server run on its own IP and/or port, but then
that's the point of host headers - to not have to do so.
You could also require each server to be under a common subdomain, and use a
wildcard certificate (again, good look getting that from a commercial CA).
But most people want to use their own domain for their web sites. So,
again, that's not a realistic solution.
TLS 1.1 includes the ability for a client to specify the server name to
which it's trying to connect. But that is not supported by any significant
browsers or servers at present. [Some have yet to enable TLS 1.0 by
default] And TLS is not SSL - TLS grew out of SSL and PCT.
Perhaps you'd care to explain the scenario wherein you have host headers and
SSL working together?
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | alun@texis.com. Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
- Next message: Michael J. Mooney: "Windows Authentication Expiration"
- Previous message: Ron L: "IISADMPWD Change Password requires secure site"
- In reply to: Bojidar Alexandrov: "Re: SSL pages not found"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
