SSL certificate selection based on host-header: is it possible?

Question

Is it possible for a web server to select an SSL certificate to use based on the host-header of the incoming connection, or is that information that is only available after the SSL connection is established?

That is, can my webserver listed on port 443 and use the foo.com certificate if https://foo.com is requested, and the bar.com certificate if https://bar.com is requested or am I trying to do something impossible because the server has to establish an SSL connection before it knows what the client wants?

score 23 · Accepted Answer · answered Mar 25 '10 at 05:16

23

Historically, your first statement is accurate. Now, there are multiple options:

A wildcard certificate if subdomains within the same domain.
A SAN/UCC cert to specify alternative names for the certificate, thus being able to serve multiple certificates.
SNI was introduced to establish the SSL connection after the Host header. This has limited support, however, as it is newer.

This has been answered numerous times on ServerFault by myself and others. I'd suggest searching for further details unless you have a specific question.

answered Mar 25 '10 at 05:16

Warner

23,440
2
57
69

4

I went searching and couldn't find anything; this is probably one of those things that is only easy to search for if you know the answer so you can include that in search terms. Thanks. – DrStalker Mar 26 '10 at 03:39
3

If there are existing answers on ServerFault, it would have been nice to links to them. – organicveggie Jun 03 '11 at 21:07
http://serverfault.com/search, @organicveggie. – Warner Jun 06 '11 at 17:14
4

SNI does not establish the SSL connection after the Host header, but includes the hostname in the SSL handshake. Not that it matters if you're not an SSL developer. – Bart van Heukelom Mar 16 '12 at 22:24
Searching Serverfault gives this as the answer. That means that canonically any other questions are duplicates of this one. That [link](http://serverfault.com/search) you included has no results. – Ian Boyd May 02 '12 at 18:01

score 5 · Answer 2 · answered Mar 25 '10 at 19:09

5

To extend Warner's answer: CAcert's page Vhost Task Force compares several methods for using multiple domains on a single server. I personally use Server Name Indication.

answered Mar 25 '10 at 19:09

user1686

8,717
25
38

How do you cope with Windows XP users, Android users, Blackberry users, etc? – thomasrutter Oct 20 '11 at 04:06

drAlberT · Answer 3 · 2010-03-25T15:13:49.223

Short answer: no

HTTP is encapsulated inside SSL, so any information about the request is inaccessible until the connection has been established. Hence until a certificate was given to the client. No way to use headers nor any other encrypted info, as they are still not available.

EDIT: this is true if you want nowadays to be cross browser and fully portable. As said by others there are some new emerging methods making it possible in the near future.

score 1 · Answer 4 · answered Mar 25 '10 at 09:04

1

or is that information that is only available after the SSL connection is established?

Correct. The SSL connection is established before any part of the HTTP request (host header included) is sent.

answered Mar 25 '10 at 09:04

Richard

5,309
1
22
20

2

That is no longer fully accurate. – Warner Mar 25 '10 at 13:15

SSL certificate selection based on host-header: is it possible?

4 Answers4

Linked

Related