On Dec 11, 2008, at 8:25 PM, Lisa Kachold wrote:
> It's just as easy to set the server hostname and ip address staticly
> to a standard hosts file? Name based virtualhosting still works!
>
>
> For 443 certificate based virtuals, you MUST have your SSL cert FQDN
> match the csr, and crt.
Kinda. You can't really do name-based virtual hosting w/ SSL, at
least not with openssl as I know it. SSL vhosts in Apache are based
on IP address only.
When doing https, the SSL key negotiation between client & server
happens before the client tells the server what resource/page/image it
wants. Apache won't know what site you want to view until after this
has been done. The IP address is about all Apache has to go on when
selecting which certificate to use to decrypt the client's request.
This is why you can't have more than 1 SSL site on the same IP:port.
I believe that if you set up an SSL VirtualHost with a ServerName
parameter, Apache resolves that name into an IP at startup time, and
uses that IP address to determine when to serve content from that
virtual host.
Putting '127.0.0.1
www.yoursite.com' in /etc/hosts messes up this
process. That's what prompted my reply to your initial email.
Apache won't try to use your certificate because it hasn't received a
request for 127.0.0.1. Most likely, your request will be handled by
the default vhost, which will try to speak plaintext http to a client
expecting https, and you'll get weird client errors containing a bunch
of hex garbage.
alex
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss 
(text/plain)
