Andy Blyler

Software Engineer, Private Pilot, Photographer

RFC 3546 = Single IP Virtual Host HTTPS Sites

I was poking around the internet tonight looking at some new things and stumbled upon a remark in the Apache 2.2 documentation stating: “In Apache 2.1 and later, SSLEngine can be set to optional. This enables support for RFC 2817, Upgrading to TLS Within HTTP/1.1. At this time no web browsers support RFC 2817.” Upgrading a connection to TLS, now that sounds promising! At least that was what I thought until I read a comment on a mozilla bug stating: “The TLS upgrade was designed for some specific applications such as the Internet Printing Protocol, not for general browser and server use.” The next comment down suggests that a different bug report, which references RFC 3546, might have a better solution and indeed it does!

The “Server Name Indication” section of RFC 3546 is what allows a web server listening on a single port and IP to serve multiple SSL web sites. This is accomplished by extending the client hello to include DNS hostname of the site the client wishes to access. This allows the server to pick the correct certificates to complete the SSL hank shake.

My next thought was great, which web servers and web browsers currently support this. It appears that IE 7 will indeed support SNI. It also looks like the code for SNI is already included in the Mozilla 1.8 branch. As for the web servers, there are some patches for apache but it looks like there is still work that needs to be done. I also would hope that SNI support would be something that Microsoft would include in IIS 7, but only time will tell. I am just glad that there is some movement in being able to host multiple secure web site on the same server with the same IP address and the same port.