Thursday, 8 September 2011

Can SSL use host headers

Actually, virtual host headers can be used for SSL as well. In the HTTP request below, the line, "Host: www.microsoft.com" is what selects the actual site.

  • GET / HTTP/1.1
  • Host: www.microsoft.com
  • User-Agent: Windows-RSS-Platform/1.0 (MSIE 7.0; Windows NT 5.1)
  • MSIE /7.0
  • Accept: */*
  • Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
  • Accept-Encoding: gzip,deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Keep-Alive: 300
  • Connection: keep-alive
  • Cookie: secret authentication token 12345

When SSL is used, the certificate only states that one IP maps to a single hostname (wildcards for a domain).

Reverse DNS mapping of IP addresses cannot occur for more than one IP address without error, but SSL (and TLS) do not actually mandate reverse PTR records.

The issue and why some sites do not allow it is that multiple certificates can be stored on a single server, so if one virtual server is compromised through a poorly configured web app, many sites can be compromised.

So, it is possible to use SSL on a virtual server with one IP, but it is not always recomended (esp. if the server is shared and you could risk losing control of your certificate keys).

6 comments:

Ryan said...

The SSL handshake occurs before the system ever sees the HTTP GET data. How does it know which certificate to use?

Christopher said...

Craig,

Although your statement that virtual hosting is possible with HTTPS is correct, it is for a different reason than you outline in your post.

The HTTP host header mentioned in your post is sent encrypted inside of the SSL/TLS session, only after the server has already sent it's public certificate. This creates a catch-22 whereby the server does not know which certificate to send to the requesting client.

That doesn't mean it isn't possible to virtual host HTTPS. IETF introduced (RFC 3166) an extension to TLS called Server Name Indication (SNI). A browser that supports SNI sends the server name as part of TLSv1 Client Hello message.

In addition to the reason you cited that this isn't more prevalent there are also concerns about compatibility with browsers that may not support SNI. Also, shared virtual hosting servers generally have enough security issues that the kinds of sites that are hosted in those environments don't need HTTPS in the first place.

Christopher

Dr Craig S Wright GSE said...

Sorry for the delay.

Server Name Indication extended SSL and TLS allowing for virtual hosts. It was introduced in 2003 (http://www.ietf.org/rfc/rfc3546.txt), so any web server not supporting it for SSL is going to be so buggy as to be compromised in minutes in any event.

The RFC explains how SNI works and allows the web server to select the correct certificate based on the domain and hostname being requested.

Dr Craig S Wright GSE said...

An apology first.
Google made Christopher's comment into SPAM and I did not check the SPAM folder...

He had posted SNI prior to my followup post. I did not notice his comment until he emailed me.

See the following for more:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

I do not agree with Chris that there is no value in SSL for virtual hosts - there are issues with shared servers - big issues, but I do not see zero value in SSL in them. In particular, authentication. Without SSL, the issues are even bigger.

In hist email, Christopher noted:
"As a side note, Server Name Indication extended only TLS, not SSL and TLS as you mention in your comment. I also disagree with your assertion "It was introduced in 2003, so any web server not supporting it for SSL is going to be so buggy as to be compromised in minutes in any event" as Apache server support for SNI didn't appear until 2.2.12, released October 2009. While running that old of a version of Apache is certainly not advisable, there have only been denial of service patches from 2.2.12 to 2.2.20. Microsoft IIS (as of 2008 R2 /
7.5) still does not officially support SNI."

I would argue that TLS extends SSL in this case as would others (see the Apache link and also http://nginx.org/en/docs/http/configuring_https_servers.html) but this is an issue of semantics.

I understand that Microsoft do not accept many standards well, but what is new here. Do you really want to have an IIS visualized server?

My comment that any server will be that buggy was a little (lot) exaggerated.

Dr Craig S Wright GSE said...

A further note, Christopher stated that;
"Apache server support for SNI didn't appear until 2.2.12, released October 2009."

Well actually, mod_gnutls supported this in Apached well before that. See the following for an example:

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

Ryan said...

And that's why I like this blog :)