Why SSL and name-based virtual hosts don't get along
July 16, 2007
Part of validating a SSL certificate is making sure that it is a SSL certificate for what you are actually connecting to, to avoid the possibility of a man in the middle attack. SSL certificates for websites have a field (the CN portion of the 'Distinguished Name') that names the host they are for, and so target validation consists of checking that the certificate's CN is the same name as the host portion of the URL.
This checking is pretty literally a string compare; the web browser does not do anything like checking to see whether the CN host and the hostname in the URL map to the same IP address. (Okay, the string comparison does DNS case folding. I don't know if it does IDNA folding so that CN names can be in native character sets, but I suspect not).
The problem for name-based virtual hosting is that the SSL certificate
exchange happens immediately after the https connection is made, before
the client sends any HTTP headers, including the
The one exception to this is a wildcarded SSL certificates and
subdomains. You can get a SSL certificate for
Written on 16 July 2007.
* * *
Atom feeds are available; see the bottom of most pages.