Monday, March 4, 2013

Why dedicated IP address is needed for SSL host?


SSL is part of application layer and is a seperate layer which sits inbetween TCP and HTTP in TCP/IP protocol stack(it encapsulates HTTP). If SSL needs to be used with HTTP, then  the communication should occur over a port other than the clear channel standard port, 80, so that it doesn't affect other clients who connect to the HTTP server on clear channel port(80). So port 80 is reserved for HTTP and port 443 is reserved for SSL over HTTP.

When a browser requests to access a secure site, first a SSL session should be setup with the server before HTTP session can begin. So when using HTTPS the SSL/TLS handshake happens before the server sees any HTTP headers. 

The hostname requested by browser is resolved into an IP address(IP address of the WebServer on which the host is running) by DNS. Before the HTTP session can begin, the path between server and client(browser) should be encrypted. So with the IP address of the hostname(server) provided by the nameserver, an SSL session need to be setup between server and client. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified. 

Hence, it is NOT possible to have name-based SSL virtual hosts i.e. Name-based hosting does not support SSL virtual hosts.

No comments:

Post a Comment