SSL Name-Based Virtual Hosts
Friday, August 4th, 2006Why can’t you have SSL name-based virtual hosts?
I discovered that this was impossible… twice. So, hopefully this explaination will satisfy people’s curiosity and stop the frustration trying to get this to work when it just won’t.
The problem lies with the way name-based virtual hosting and SSL work.
Name-based virtual hosting is when you have more than one domain name being served with the same IP address on the same port. DNS takes care of giving you an IP address based on a domain name. Then, when that domain name gets sent via an HTTP header to that IP address and port, the web server, (usually Apache) can determine which web site to display. This is all well and good. The web server can figure out which domain name you want on each request, because your browser always sends it. But, what happens when we go to a secure page and add SSL to the mix?
HTTPS uses SSL to encrypt HTTP traffic. Before the HTTP request is received by the server, the server must send a certificate to the client verifying the server’s identity. The certificate contains a domain name. How does the server know which domain name’s certificate to send if it hasn’t received the HTTP request yet? It doesn’t. So, the server just sends the only certificate knows how based on the IP address and port number that the connection is coming in on.
This is why you can’t do SSL name-based virtual hosts with Apache, or any other web server for that matter.
Hopefully this explaination helps some people save a lot of time.