Customer Area

Add to Favourites    Print this Article

The SSL/TLS connection is established before the HTTP headers are sent to the web server.

Excerpt from Apache documentation:

Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

About IP addresses and SSL

Though your SSL certificate is bound to your fully qualified domain name (encrypted into the certificate request and registerd when you purchase your certificate) web servers link the certificate to the IP address. The result is that if you attempt to have more than one SSL certificate associated with the same IP address (in the case of virtual hosting) you may get undesired results.

Typically the certificate that will be used for the IP address, no matter which domain you attempt to access, will be the first one in the web server's configuration file.