From: Mads Toftum Date: Fri, 3 Jan 2003 17:57:39 +0000 (+0000) Subject: Removing obsolete entry.(me) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b26e0a30482d1272d47354619f2226a28728f0d6;p=thirdparty%2Fapache%2Fhttpd.git Removing obsolete entry.(me) Adding alternative description about name-based vhosts and ssl (written by Owen Boyle) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98158 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en index 1275ddd32da..62e8415ee90 100644 --- a/docs/manual/ssl/ssl_faq.html.en +++ b/docs/manual/ssl/ssl_faq.html.en @@ -147,7 +147,6 @@ author.

  • Core dumps for HTTPS requests?
  • Permission problem on SSLMutex
  • Shared memory and process size?
    • -
  • Shared memory and pathname?
  • PRNG and not enough entropy?
    • @@ -186,16 +185,6 @@ author.

    instance and not once per Apache server process.

    -

    Apache creates files in a directory declared by the internal -EAPI_MM_CORE_PATH define. Is there a way to override the path using a -configuration directive?

    -

    No, there is not configuration directive, because for technical - bootstrapping reasons, a directive not possible at all. Instead - use ``CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"' - ./configure ...'' when building Apache or use option - -d when starting httpd.

    - -

    When I fire up the server, mod_ssl stops with the error "Failed to generate temporary 512 bit RSA private key", why?

    Cryptographic software needs a source of unpredictable data @@ -687,6 +676,7 @@ browsers complain that they cannot verify the server certificate?

  • How to use Anonymous-DH ciphers
  • Why do I get 'no shared ciphers'?
  • HTTPS and name-based vhosts
    • +
  • Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
  • The lock icon in Netscape locks very late
  • Why do I get I/O errors with MSIE clients?
  • Why do I get I/O errors with NS clients?
    • @@ -776,6 +766,35 @@ I try to connect to my freshly installed server? handshake phase. Bingo!

    +

    Why is it not possible to use Name-Based Virtual Hosting to identify +different SSL virtual hosts?

    +

    Name-Based Virtual Hosting is a very popular method of identifying + different virtual = hosts. It allows you to use the same IP address and + the same port number for many different sites. When people move on to + SSL, it seems natural to assume that the same method can be used to have + lots of different SSL virtual hosts on the same server.

    + +

    It comes as rather a shock to learn that it is impossible.

    + +

    The reason is that the SSL protocol is a separate layer which + encapsulates the HTTP protocol. So the problem is that the SSL session + is a separate transaction that takes place before the HTTP session even + starts. Therefore all the server receives is an SSL request on IP + address X and port Y (usually 443). Since the SSL request does not + contain any Host: field, the server has no way to decide which SSL + virtual host to use. Usually, it will just use the first one it finds + that matches the port and IP address.

    + +

    You can, of course, use Name-Based Virtual Hosting to identify many + non-SSL virtual hosts (all on port 80, for example) and then you can + have no more than 1 SSL virtual host (on port 443). But if you do this, + you must make sure to put the non-SSL port number on the NameVirtualHost + directive, e.g.

    + +

    NameVirtualHost 192.168.1.1:80

    Other workaround solutions are:

    Use separate IP addresses for different SSL hosts. + Use different port numbers for different SSL hosts.

    + +

    When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted?

    diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index 070e1436e71..36da395893b 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -139,7 +139,6 @@ author.

  • Core dumps for HTTPS requests?
  • Permission problem on SSLMutex
  • Shared memory and process size?
    • -
  • Shared memory and pathname?
  • PRNG and not enough entropy?
    • @@ -178,16 +177,6 @@ author.

    instance and not once per Apache server process.

    -
    Apache creates files in a directory declared by the internal -EAPI_MM_CORE_PATH define. Is there a way to override the path using a -configuration directive? -

    No, there is not configuration directive, because for technical - bootstrapping reasons, a directive not possible at all. Instead - use ``CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"' - ./configure ...'' when building Apache or use option - -d when starting httpd.

    -
    -
    When I fire up the server, mod_ssl stops with the error "Failed to generate temporary 512 bit RSA private key", why?

    Cryptographic software needs a source of unpredictable data @@ -683,6 +672,7 @@ browsers complain that they cannot verify the server certificate?

  • How to use Anonymous-DH ciphers
  • Why do I get 'no shared ciphers'?
  • HTTPS and name-based vhosts
    • +
  • Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
  • The lock icon in Netscape locks very late
  • Why do I get I/O errors with MSIE clients?
  • Why do I get I/O errors with NS clients?
    • @@ -772,6 +762,41 @@ I try to connect to my freshly installed server? handshake phase. Bingo!

    +
    Why is it not possible to use Name-Based Virtual Hosting to identify +different SSL virtual hosts? +

    Name-Based Virtual Hosting is a very popular method of identifying + different virtual = hosts. It allows you to use the same IP address and + the same port number for many different sites. When people move on to + SSL, it seems natural to assume that the same method can be used to have + lots of different SSL virtual hosts on the same server.

    + +

    It comes as rather a shock to learn that it is impossible.

    + +

    The reason is that the SSL protocol is a separate layer which + encapsulates the HTTP protocol. So the problem is that the SSL session + is a separate transaction that takes place before the HTTP session even + starts. Therefore all the server receives is an SSL request on IP + address X and port Y (usually 443). Since the SSL request does not + contain any Host: field, the server has no way to decide which SSL + virtual host to use. Usually, it will just use the first one it finds + that matches the port and IP address.

    + +

    You can, of course, use Name-Based Virtual Hosting to identify many + non-SSL virtual hosts (all on port 80, for example) and then you can + have no more than 1 SSL virtual host (on port 443). But if you do this, + you must make sure to put the non-SSL port number on the NameVirtualHost + directive, e.g.

    + + +

    NameVirtualHost 192.168.1.1:80

    + +

    Other workaround solutions are:

    + +

    Use separate IP addresses for different SSL hosts. + Use different port numbers for different SSL hosts.

    +     +
    +
    When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted?