| 1 |
On Tue, 7 Sep 2004 19:36:35 +0200, Christian Parpart |
| 2 |
<cparpart@×××××××××.net> wrote: |
| 3 |
|
| 4 |
> I'm still wondering about the technical side, AS I do not understand *why* the |
| 5 |
> web server can just serve one webserver certificate per (IP:PORT) pair. |
| 6 |
|
| 7 |
It's like this: With normal HTTP, the client opens a connection to the |
| 8 |
server, generally sends a GET or POST command, and then follows that |
| 9 |
with a Host: header with the name of the server, i.e. |
| 10 |
|
| 11 |
POST /foo.cgi HTTP/1.1 |
| 12 |
Host: www.example.com |
| 13 |
|
| 14 |
[data goes here] |
| 15 |
|
| 16 |
When using HTTPS, however, the client opens a connection to the |
| 17 |
server, negotiates the SSL/TLS session, and then does the above. |
| 18 |
During the session negotiation, the server presents a certificate. The |
| 19 |
problem is, the server cannot know at this point what name the client |
| 20 |
has referred to it as; it only knows the IP address it has accepted |
| 21 |
the connection on. Therefore there is no way to determine by what name |
| 22 |
the client was referring to the server, and cannot select certificates |
| 23 |
based on name. The Host header doesn't get sent until after the |
| 24 |
session is negotiated, which is too late. Of course, the server can be |
| 25 |
configured to use certificates based on the IP address, which is how |
| 26 |
it's normally done. |
| 27 |
|
| 28 |
What would have worked a lot better is a STARTTLS directive, similar |
| 29 |
to that for SMTP and IMAP and LDAP and others, which would negotiate |
| 30 |
the session after determining the hostname, i.e. |
| 31 |
|
| 32 |
STARTTLS www.example.com HTTP/1.1 |
| 33 |
[session negotiation begins] |
| 34 |
[encrypted session begins] |
| 35 |
POST /foo.cgi HTTP/1.1 |
| 36 |
|
| 37 |
[data goes here] |
| 38 |
[encrypted session ends] |
| 39 |
|
| 40 |
There might even be an RFC floating around for this somewhere. An |
| 41 |
additional advantage is you don't need an additional port (443) for |
| 42 |
secure HTTP: It just happens over the normal port (80). Disadvantage: |
| 43 |
Hostname is sent in the clear, but this seems a very small |
| 44 |
disadvantage. |
| 45 |
-- |
| 46 |
Computer interfaces should never be made of meat. |
Archives