hwg-servers archives Jun 2001 new search results previous next

RE: multiple SSL on the same IP?

by Bennett Haselton <bennett(at)peacefire.org>

 Date:  Tue, 26 Jun 2001 09:50:21 -0700
 To:  hwg-servers(at)hwg.org
  todo: View Thread, Original 
Are you sure that SSL requires that reverse lookup match the name of the
site?  I can connect to:

https://secure.media3.net/PeacefireShop/index.cfm
[note -- we're not selling those t-shirts any more, don't place an order :)
it's just an example]

even though secure.media3.net is 206.67.56.1, and if you do reverse lookup
on that address (type "ping -a 206.67.56.1") the hostname comes back as
rs6.media3.net, not secure.media3.net.  I can also connect to

https://www.safeweb.com/

even though www.safeweb.com is 216.104.228.137 and "ping -a" doesn't
reverse that IP address to *any* hostname.

It doesn't seem like SSL should *need* reverse lookup in order to be
implemented.  It wouldn't add any extra security -- anybody can make their
reverse lookup say whatever they want.

I'm just assuming, but I *think* the problem with multiple hosts using SSL
on one IP address is that the Web server doesn't know which Web site you
want until you specify it in the "Host:" header of the HTTP request -- and
that header is, itself, encrypted.  The Web server doesn't know how to
decrypt the Host: header unless it knows which site's certificate to use
for decryption, and it doesn't know which site's certificate to use without
decrypting the Host: header -- catch-22.

          -Bennett

At 08:44 PM 6/14/2001 -0500, Lyle wrote:
 >SSL requires that the reverse lookup match the name of the site that you
 >are
 >getting the SSL cert from.  So only one SSL site per ip address.
 >
 >-----Original Message-----
 >From: David Jemison [mailto:pithon(at)lifeinkorea.com]
 >Sent: Thursday, June 14, 2001 7:53 PM
 >To: hwg-servers(at)hwg.org
 >Subject: multiple SSL on the same IP?
 >
 >
 >We have only been allocated one IP address for our server (Win2K/IIS5),
 >so are using host headers to host multiple sites. We recently added SSL
 >for one site. But if we try to add SSL for another site, all the
 >requests go to the original SSL site. Is it not possible to use host
 >headers for SSL sites on the same IP address?
 >
 >--
 >David Jemison
 >http://www.lifeinkorea.com
 >http://www.lifeinasia.com

bennett(at)peacefire.org     http://www.peacefire.org
(425) 649 9024

HWG: hwg-servers mailing list archives, maintained by Webmasters @ IWA