1 |
On Tue, 7 Sep 2004 19:36:35 +0200, Christian Parpart |
2 |
<cparpart@×××××××××.net> wrote: |
3 |
|
4 |
> I'm still wondering about the technical side, AS I do not understand *why* the |
5 |
> web server can just serve one webserver certificate per (IP:PORT) pair. |
6 |
|
7 |
It's like this: With normal HTTP, the client opens a connection to the |
8 |
server, generally sends a GET or POST command, and then follows that |
9 |
with a Host: header with the name of the server, i.e. |
10 |
|
11 |
POST /foo.cgi HTTP/1.1 |
12 |
Host: www.example.com |
13 |
|
14 |
[data goes here] |
15 |
|
16 |
When using HTTPS, however, the client opens a connection to the |
17 |
server, negotiates the SSL/TLS session, and then does the above. |
18 |
During the session negotiation, the server presents a certificate. The |
19 |
problem is, the server cannot know at this point what name the client |
20 |
has referred to it as; it only knows the IP address it has accepted |
21 |
the connection on. Therefore there is no way to determine by what name |
22 |
the client was referring to the server, and cannot select certificates |
23 |
based on name. The Host header doesn't get sent until after the |
24 |
session is negotiated, which is too late. Of course, the server can be |
25 |
configured to use certificates based on the IP address, which is how |
26 |
it's normally done. |
27 |
|
28 |
What would have worked a lot better is a STARTTLS directive, similar |
29 |
to that for SMTP and IMAP and LDAP and others, which would negotiate |
30 |
the session after determining the hostname, i.e. |
31 |
|
32 |
STARTTLS www.example.com HTTP/1.1 |
33 |
[session negotiation begins] |
34 |
[encrypted session begins] |
35 |
POST /foo.cgi HTTP/1.1 |
36 |
|
37 |
[data goes here] |
38 |
[encrypted session ends] |
39 |
|
40 |
There might even be an RFC floating around for this somewhere. An |
41 |
additional advantage is you don't need an additional port (443) for |
42 |
secure HTTP: It just happens over the normal port (80). Disadvantage: |
43 |
Hostname is sent in the clear, but this seems a very small |
44 |
disadvantage. |
45 |
-- |
46 |
Computer interfaces should never be made of meat. |