craigmcc 01/08/27 13:39:55
Modified: webapps/tomcat-docs ssl-howto.xml
Log:
Update to the SSL HOW-TO w.r.t. server certificates on named virtual hosts
sharing a single IP address.
Submitted by: Christopher Cain <[EMAIL PROTECTED]>
Revision Changes Path
1.4 +15 -0 jakarta-tomcat-4.0/webapps/tomcat-docs/ssl-howto.xml
Index: ssl-howto.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/tomcat-docs/ssl-howto.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ssl-howto.xml 2001/08/27 20:22:37 1.3
+++ ssl-howto.xml 2001/08/27 20:39:55 1.4
@@ -153,6 +153,21 @@
page request and take the appropriate action of <code>https</code> is not
specified.</p>
+<p>Finally, using name-based virtual hosts on a secured connection can be
+problematic. This is a design limitation of the SSL protocol itself. The SSL
+handshake, where the client browser accepts the server certificate, must occur
+before the HTTP request is accessed. As a result, the request information
+containing the virtual host name cannot be determined prior to authentication,
+ant it is therefore not possible to assign multiple certificates to a single
+IP address. If all virtual hosts on a single IP address need to authenticate
+against the same certificate, the addition of multiple virtual hosts should not
+interfere with normal SSL operations on the server. Be aware, however, that
+most client browsers will compare the server's domain name against the domain
+name listed in the certificate, if any (applicable primarily to official,
+CA-signed certificates). If the domain names do not match, these browsers will
+display a warning to the client user. In general, only address-based virtual
+hosts are commonly used with SSL in a production environment.</p>
+
</section>
<section name="Configuration">
