A common question from mod_ssl users is whether it is possible to have several SSL-enabled name-based virtual hosts. The short answer is no. The problem is that name-based virtual hosting relies on the information provided by the client in the Host: header of the HTTP request, since all name-based virtual hosts are sharing the same IP address. But the SSL connection takes place at the TCP level, before the HTTP request can be sent. Thus, the server is not able to determine at the time of connection which virtual host the client wants to connect to and, hence, which certificate and key to use. There is indeed a specification (RFC 2817), which allows upgrading an existing HTTP connection to HTTPS. That would get around this issue, but at the time of this writing it is not implemented by any mainstream browser. Apache 2.2's mod_ssl module implements support for RFC 2817, as does mod_nw_ssl, the Netware Apache SSL module. |