Date: Sat, 28 Jul 2001 22:53:04 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Terry Witherspoon" <t403403@hotmail.com>, <bsd-freak@mbox.com.au>, <freebsd-questions@FreeBSD.ORG> Subject: RE: SSL Certificates Message-ID: <002701c117f2$bc0ede20$1401a8c0@tedm.placo.com> In-Reply-To: <F181dkSmLAztxc1o8yf000008b1@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Aside from the technical reason there's also a business reason. SSL for the web was driven primariarly for 1 reason - to block people from sniffing credit card numbers. Oh, I know that there's all sorts of noncommercial sites that SSL is useful for, but seriously, most SSL sites aren't built for noncommercial reasons, they are built to snarf credit cards. I know that I'm going to get jumped on by saying that but it's the truth. Anyway, the architects of SSL felt that anyone taking credit cards over the web was a _real_ business, and not attempting to nickel and dime everything. Thus, they should be able to afford at least 1 real IP number for their server. After all, if your pulling in money from people then diverting a few dollars of the transaction to the network provider certainly seems fair after all. After all your going to be paying VISA 2% and a real IP number doesen't represent anywhere near that amount. None of the people forsaw the proliferation of web hosting companies that were willing to give away webserving for literally nothing at all. Of course, when your a webhosting company doing that, you simply cannot afford to have a real network infrastructure with real subnets and all of that. Thus, you use fake websites with no assigned IP number. If the architects of SSL had known that sort of thing was going to be in demand for SSL they would have done the protocol differently to accomodate it. I know that I'm going to get jumped on for saying that too. :-) But, sorry I don't believe that giving away network services for free to _commercial_ users does anything to help the growth of the Internet. Neither do the telcos that provide circuits. We're a harsh bunch of bastards I guess. :-) Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Terry >Witherspoon >Sent: Saturday, July 28, 2001 1:20 PM >To: bsd-freak@mbox.com.au; freebsd-questions@FreeBSD.ORG >Subject: Re: SSL Certificates > > > >Hi, > >See http://www.modssl.org for everything you want to know >about apache-modssl. You cannot do this with name based >hosts. > >>From the FAQ: > >The reason is very technical. Actually it's some sort of a >chicken and egg problem: The SSL protocol layer stays >below the HTTP protocol layer and encapsulates HTTP. When >an SSL connection(HTTPS) is established Apache/mod_ssl has >to negotiate the SSL protocol parameters with the client. >For this mod_ssl has to consult the configuration of the >virtual server (for instance it has to look for the cipher >suite, the server certificate, etc.). But in order to dispatch >to the correct virtual server Apache has to know the Host HTTP >header field. For this the HTTP request header has to be read. >This cannot be done before the SSL handshake is finished. But >the information is already needed at the SSL handshake phase. >Bingo! > > >> >>Hiya all, >> >>I need to host multiple SSL sites on my FreeBSD 4.3 box. I am currently >>using Apache 1.3 + mod_ssl and am using name based virtual hosts. I don >>have a lot of experience with SSL but maybe someone out ther has. >> >>My question is do I need a seperate digital certificate for each virtual >>host? Going by the Verisign documentation it seems so but is not 100% >>clear. >> >>Does anyone know there answer for certain? >> >>Thank in advance... >> >> --------------------------------------------- >> Receive faxes 24x7, no second line necessary. >> http://www.mbox.com.au/ >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-questions" in the body of the message > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002701c117f2$bc0ede20$1401a8c0>