RE: multiple SSL on the same IP?
by Bennett Haselton <bennett(at)peacefire.org>
|
Date: |
Tue, 26 Jun 2001 09:50:21 -0700 |
To: |
hwg-servers(at)hwg.org |
|
todo: View
Thread,
Original
|
|
Are you sure that SSL requires that reverse lookup match the name of the
site? I can connect to:
https://secure.media3.net/PeacefireShop/index.cfm
[note -- we're not selling those t-shirts any more, don't place an order :)
it's just an example]
even though secure.media3.net is 206.67.56.1, and if you do reverse lookup
on that address (type "ping -a 206.67.56.1") the hostname comes back as
rs6.media3.net, not secure.media3.net. I can also connect to
https://www.safeweb.com/
even though www.safeweb.com is 216.104.228.137 and "ping -a" doesn't
reverse that IP address to *any* hostname.
It doesn't seem like SSL should *need* reverse lookup in order to be
implemented. It wouldn't add any extra security -- anybody can make their
reverse lookup say whatever they want.
I'm just assuming, but I *think* the problem with multiple hosts using SSL
on one IP address is that the Web server doesn't know which Web site you
want until you specify it in the "Host:" header of the HTTP request -- and
that header is, itself, encrypted. The Web server doesn't know how to
decrypt the Host: header unless it knows which site's certificate to use
for decryption, and it doesn't know which site's certificate to use without
decrypting the Host: header -- catch-22.
-Bennett
At 08:44 PM 6/14/2001 -0500, Lyle wrote:
>SSL requires that the reverse lookup match the name of the site that you
>are
>getting the SSL cert from. So only one SSL site per ip address.
>
>-----Original Message-----
>From: David Jemison [mailto:pithon(at)lifeinkorea.com]
>Sent: Thursday, June 14, 2001 7:53 PM
>To: hwg-servers(at)hwg.org
>Subject: multiple SSL on the same IP?
>
>
>We have only been allocated one IP address for our server (Win2K/IIS5),
>so are using host headers to host multiple sites. We recently added SSL
>for one site. But if we try to add SSL for another site, all the
>requests go to the original SSL site. Is it not possible to use host
>headers for SSL sites on the same IP address?
>
>--
>David Jemison
>http://www.lifeinkorea.com
>http://www.lifeinasia.com
bennett(at)peacefire.org http://www.peacefire.org
(425) 649 9024
HWG: hwg-servers mailing list archives,
maintained by Webmasters @ IWA