From: Skip Evans on
Hey all,

Just wanted to let you know what I find out about this and how
I solved the problem.

First, name based SSL is, as one person told me, only good for
one IP address in an Apache installation. I'll let Apache
explain it themselves because they are better at it than I am.

"The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the SSL session is a
separate transaction, that takes place before the HTTP session
has begun. The server receives an SSL request on IP address X
and port Y (usually 443). Since the SSL request does not
contain any Host: field, the server has no way to decide which
SSL virtual host to use. Usually, it will just use the first
one it finds, which matches the port and IP address specified."

So the solution is that each host name has to have its own IP
address if you're going to do both port 80 for HTTP and port
443 for HTTPS.

You can assign different ports for your different SSL host
names, but that can get messy, and because these are paying
customers for an account on our system it was a no brainer to
go with separate IPs per host name.

So my process now is to leave them on the shared virtual host
name configuration until they require SSL, which our clients
only do when they start processing credit card transactions,
and once they do that they get their own IP and we configure
them accordingly.

So I hope this little nugget helps anyone who comes across
this same issue. And incidentally, if you need to configure
IP-based SSL on FreeBSD I'm you're guy; I'm now a whiz at it :)


Skip Evans, LLC
503 S Baldwin St, #1
Madison WI 53703
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut