Multiple domains on https (apache)

[Deron Meranda]

On Wed, 23 Feb 2005 19:08:24 -0500, Sam Varshavchik
<mrsam at courier-mta.com> wrote:
> This is normal.  This is a technical limitation of SSL - each domain
> requires its own IP address.  You need to configure a separate IP address
> for each domain.  Named virtual hosts will not work with SSL.

Actually, you just need a different TCP endpoint.  This is usually done by using
a separate IP address; but you can also just choose different port numbers too;
although that's less desirable as it complicates your URLs.

Remember, this is a fundamental https protocol limitation, not a
problem with Apache or Linux.

And just in case you want to know "why": the reason for this is that
with https, the SSL/TLS tunnel is set up first and afterwards the HTTP
protocol happens within it.  Since name-based virtual hosting
technically depends on some of the data encoded in the HTTP protocol,
it can not be used until HTTP traffic is flowing.  And that's after
the SSL connection setup (including selecting the correct
certificates) has already occured.  Back in the early days of the web
before Netscape invented SSL, there was a competing protocol to
encrypt web traffic which did not have this particular
limitation...but alas SSL/TLS won, primarily because despite this one
limitation it was quite superior in many other ways.

But the use-a-different-IP address trick works because it only depends
on things known at the IP layer, which is known to the SSL layer above
it.

Incidentally, SSL (or TLS) can be used to secure other protocols
besides HTTP, such as SMTP (mail) and so on.  Many of those other
protocols don't have such limitations, because they allow the
application protocol to handshake first without encryption, and then
switch over to SSL/TLS on the fly.  HTTP was designed before SSL was
invented, and because of some of its fundamental design assumptions,
could not be easily retrofitted to work that way without completely
breaking compatibility.

-- 
Deron Meranda