On Wed, 23 Feb 2005 19:08:24 -0500, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > This is normal. This is a technical limitation of SSL - each domain > requires its own IP address. You need to configure a separate IP address > for each domain. Named virtual hosts will not work with SSL. Actually, you just need a different TCP endpoint. This is usually done by using a separate IP address; but you can also just choose different port numbers too; although that's less desirable as it complicates your URLs. Remember, this is a fundamental https protocol limitation, not a problem with Apache or Linux. And just in case you want to know "why": the reason for this is that with https, the SSL/TLS tunnel is set up first and afterwards the HTTP protocol happens within it. Since name-based virtual hosting technically depends on some of the data encoded in the HTTP protocol, it can not be used until HTTP traffic is flowing. And that's after the SSL connection setup (including selecting the correct certificates) has already occured. Back in the early days of the web before Netscape invented SSL, there was a competing protocol to encrypt web traffic which did not have this particular limitation...but alas SSL/TLS won, primarily because despite this one limitation it was quite superior in many other ways. But the use-a-different-IP address trick works because it only depends on things known at the IP layer, which is known to the SSL layer above it. Incidentally, SSL (or TLS) can be used to secure other protocols besides HTTP, such as SMTP (mail) and so on. Many of those other protocols don't have such limitations, because they allow the application protocol to handshake first without encryption, and then switch over to SSL/TLS on the fly. HTTP was designed before SSL was invented, and because of some of its fundamental design assumptions, could not be easily retrofitted to work that way without completely breaking compatibility. -- Deron Meranda
