IP Space
Ted Pavlic
tpavlic at netwalk.com
Wed Oct 18 06:37:48 EDT 2000
I believe you're very much mistaken. I think you are misrepresenting your
configuration to us.
SSL cannot exchange "Host:" header information because that "Host:" header
information occurs *AFTER* the keys are exchanged and data starts to be
encrypted. This means that there is no way to tell the server to use a
different key based on a different host.
If you *THINK* you've configured SSL to work with name-based hosting, you
should probably go to a few of your SSL sites and look at the cert. that was
give to the browser. You will probably find that *EVERY* SSL site has been
giving out the *SAME* CERT.
This is a problem that has been recognized by SSL web server developers as
well as ARIN. If you take a look at ARIN's name_based page,
http://www.arin.net/announcements/name_based_hosting.html
you shall see that ARIN references IETF drafts (which is *VERY*
inappropriate and just very poor) which talk about doing HTTP/1.1 over TLS.
In order to do HTTP/1.1 name-based hosting properly, a web browser should
have to connect to a port (like 80) on a server, exchange Host: header
information, and then "UPGRADE" to TLS after Host: header information has
been exchanged. This will exchange the correct certs and turn that port into
a secure one.
All the best --
Ted
----- Original Message -----
From: "Susan Zeigler" <susan at lh.net>
To: "Policy at Arin. Net" <policy at arin.net>
Cc: <info at avehost.com>; "Ted Pavlic" <tpavlic at netwalk.com>
Sent: Tuesday, October 17, 2000 11:05 PM
Subject: Re: IP Space
> Ah, but that argument doesn't hold much water. From what my
enterprise-level
> clients tell me, SSL can be configured just fine to handle multiple sites
on a
> single IP. I have several that do this with great results. It is much
easier to
> handle and manage too, just like host-header vs. virtual IP.
>
> "AveHost.com Staff" wrote:
>
> > Ted:
> >
> > Just keep in mind that you will still need IP's for those customers that
> > want and need to use SSL, which is currently about half of our
customers.
> > You see, ARIN is effectively restricting ecommerce whether they realize
it
> > or not by limiting IP allocations for hosting. Congratulations ARIN,
the
> > NEW Economy's development just might be slowed! This almost smells like
an
> > old KGB clandestine operation to stifle the West's progress!
> >
> > AveHost.com Staff
> > AveHost.com, a service of RegSearch International
> > 201-840-7311
> >
> > -----Original Message-----
> > From: policy-request at arin.net [mailto:policy-request at arin.net]On Behalf
> > Of Ted Pavlic
> > Sent: Sunday, October 08, 2000 1:43 PM
> > To: policy at arin.net; RTS
> > Subject: Re: IP Space
> >
> > http://www.arin.net/announcements/name_based_hosting.html
> >
> > I hope that helps.
> >
> > All the best --
> > Ted
> >
> > ----- Original Message -----
> > From: "RTS" <rts at rdr.net>
> > To: <policy at arin.net>
> > Sent: Saturday, October 07, 2000 8:00 PM
> > Subject: IP Space
> >
> > > I saw on Arin's page last week or so a link to both Microsoft and
Apache
> > > pages for help on named based virtual hosting.
> > >
> > > Does anyone know where that is??
> > >
> > >
> > > Randy
> > >
> > >
>
>
More information about the Policy
mailing list