Multiple domains on https (apache)

Aleksandar Milivojevic amilivojevic at pbl.ca
Thu Feb 24 15:59:03 UTC 2005 

Deron Meranda wrote:
> Incidentally, SSL (or TLS) can be used to secure other protocols
> besides HTTP, such as SMTP (mail) and so on.  Many of those other
> protocols don't have such limitations, because they allow the
> application protocol to handshake first without encryption, and then
> switch over to SSL/TLS on the fly.  HTTP was designed before SSL was
> invented, and because of some of its fundamental design assumptions,
> could not be easily retrofitted to work that way without completely
> breaking compatibility.

Actally, all those other protocols were around here decades before SSL 
was invented.  HTTP was one of the first protocols that was SSL-ized. 
SSL implementations for all other protocols learned from mistakes made 
with HTTPS, and using implicit SSL tunnel is depricated in them (if 
allowed at all).

Theoretically, it is perfectly possible to implement HTTP over SSL the 
way other protocols are now using it.  Currently, simplified HTTP 
conversation on port 80 might look something like:

  -> GET / HTTP/1.1
  -> Host: www.foobar.com
  -> More-Headers: blah blah
  ->
<-  HTTP/1.0 200 OK
<-  More-Headers: more blah blah
<-
<-  content of index.html from foobar.com

The second line is important, since it tells the other side the host 
name we are attempting to connect to (this is what Apache and all other 
web servers are using for domain-based virtual hosting).  If your 
browser dosn't send host header (very old versions of IE for example), 
virtual sites based on domain names are not going to work at all.

For HTTPS, that uses implicit SSL tunnel on port 443, simplified 
conversation looks like this.  "->", "<-", and "<->" indicate direction 
of traffic, it is not part of actual data exchange.

<-> SSL handshake
  -> GET / HTTP/1.0
  -> Host: www.foobar.com
  -> More-Headers: blah blah
  ->
<-  HTTP/1.0 200 OK
<-  More-Headers: more blah blah
<-
<-  content of index.html from foobar.com

Obviously, data needed for server to send correct certificate was sent 
after SSL handshake.  Too late.

The problem could be corrected if anybody was kind enough to extend 
HTTPS to allow for explicit requests for SSL on standard port 80 (this 
is preferred way of doing things in all other protocols, as I said, 
lesson learned from HTTPS).  SSL channel is brought at explicit client 
request for it.  No need for special port (such as 443) either.  Simply 
use standard port 80.  That way, client can pass data needed to choose 
correct certificate.

  -> AUTH TLS
  -> Host: www.foobar.com
  ->
<-  HTTP/1.0 200 OK
<-  Some-headers: completely optional, we probably don't want
<-                to blah blah too much in cleartext
<-
<-> SSL handshake
  -> GET / HTTP/1.0
  -> Host: www.foobar.com
  -> More-Headers: blah blah
  ->
  <- HTTP/1.0 200 OK
  <- More-Headers: more blah blah
  <-
  <- content of index.html from foobar.com

However, HTTPS does not provide for this option.  There is no standard 
describing anything like this for HTTP protocol.  And it is not likely 
that there will be one in foreseable future.  If there was, server would 
be able to choose correct certificate before SSL handshake was to occur 
based on data passed from the client (the host header).

Interestingly enough, if you use proxy, something similar is 
implemented.  When using proxy, client sends "CONNECT" command to the 
proxy, followed by headers (which usually include host header) before 
SSL tunnel is established (basically, explicitly requesting SSL tunnel). 
  Proxy than makes connection to the server using implicit SSL tunnel. 
Again, if we had "AUTH TLS", this "CONNECT" command and special handling 
of proxies (when SSL is used) in browsers would not be needed.

So, it is not that it isn't technically possible.  It is simple thing 
that HTTPS was one of the first protocols to deploy SSL, and nobody 
thought about the problem (or cared enough about it) until it was too 
late.  Other protocols (that were SSL-ize after HTTP) learned from this 
mistake.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list