I know, it's not really documented in "offical" Apache documentations, but it's possible, and works well, if this is what your customers wants.
First, how the SSL works, as there is no "domain name" in handshaking? Its simply uses the same certificate for ALL SSL VHosts, so Apache simply picks the first <VirtualHost someip:443> statement, do the SSL handshaking with the certificates, then get the domain name, from HTTP request, as it should do for a normal VHost request. Then match this domain name with the SSL VHosts. If no VHost can be found, then apache picks the first SSL VHost that it can find(like normal VHosts, but now, the non-SSL Vhosts are excluded).
That's all.
Why it's good?
- Cheap : No additional certificates and IP's needed.
- Secure : The additional SSL layer is working (but auth. is broken, which means unsafe, see below...).
Why it's not good?
- 'Ugly' : The browsers will complain about that the site's name, and certificate dont match. You have to live with it!
Why can it be considered totally insecure (or not)?
- SSL does encryption, but if you don't have an authentication of the site you are talking to, there can be a man in the middle attack, which means that it is as if you were not encrypted. Here, because there is a domain name mismatch, there will always be an authentication error for the cert, meaning that it someone could be between you and your web server. The only solution is then to manually check for the certificate key EACH TIME you connect to the SSL site using this cert.
- Still, if you use a special certificate that is valid for all subdomains (we call it a wildcard certificate), then it will be 100% working.
So, use it on your own risk! If you can't afford additional IPs, but you need some security, then this option is for you. But if you want 'green' SSL icons in your browser, then this option is not for you!
You have been warned!
Editing this page means accepting its license.
