Protecting 2 domains on one server

Let's say I have two different domains:

www.abc.com

www.xyz.com

They both contain different data, and I'd like to run them both off of the same web server. I can do this easily by looking at the HOST: header in the HTTP headers on an incoming request. Depending on what it says, I'll know which server the request is destined for and return the proper information.

What happens if I try to SSL enable this server? Obviously, I need 2 different SSL certificates, and let's say I have these. However, when a request comes in I need to decide which certificate to use and return during the handshake. But no HTTP headers are available at this point (and I'm too far down in the stack to even see them).

Is there any way to do this?

Sander Smith

[789 byte] By [smithsaa] at [2007-10-2 6:19:37]

«« I Need JDK 1.0 for Book
»» jdbc ldap connection pool a

# 1

I'll answer my own question.

I found a reference to this problem in Rescorla's book. He phrases it in terms of virtual servers, and pretty much says there's no solution.

However, RFC 3546 extends the ClientHello message to allow a client to specify a domain that it wishes to connect to. This RFC is referenced in RFC 2246, TLS 1.1.

So the bottom line is, TLS 1.1 has a simple way to do this.

smithsaa at 2007-7-16 13:21:31 >

top of Java-index,Security,Java Secure Socket Extension (JSSE)...

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Protecting 2 domains on one server

Security New Topic

Security Hot Topic

Security

All Classified