2

I have hosted my site on TCP port 91.

Is there a way to bind their SSL certificate on that same port 91?

splattne
  • 28,348
  • 19
  • 97
  • 147
kannan
  • 21
  • 1
  • As far as I understand, this question is about binding the plain HTTP and the HTTPS service on the same port, not about hosting distinct HTTPS host names on the same port and IP address (which is what the duplicate question is about). – Bruno Dec 19 '11 at 13:55

4 Answers4

3

I have hosted my site on TCP port 91. Is there a way to bind their SSL certificate on that same port 91?

I'm interpreting this question as "I'm running my site on http://www.mysite.example:91/ and I also want to run it for HTTPS at https://www.mysite.example:91/" (in which case it's not a duplicate of Multiple SSL domains on the same IP address and same port?, as temporarily marked).

This can be done using Port Unification, which is supported by Grizzly for example (a Java web server). (Your question doesn't say which server you want to use.)

Port unification can work for any protocol where the client is expected to talk first (for example HTTP, SSL/TLS, but not IMAP, ...).

Essentially, the server tries to detect which protocol is used by looking at the beginning of the request before dispatching it. If it receives GET / ... it can assume it's an HTTP request. If it receives a ClientHello, it can assume it's an SSL/TLS request (which may then be redirected to the appropriate protocol of top of it, if needed, in this case HTTP over TLS).

Support for this feature is quite unusual, but it works. However, you will have to specify the port explicitly in your URL if it's not the default (80 will always be the default for http:// and 443 will always be the default for https://).

I'm not aware of this feature being implemented in Apache Httpd, but that's not in principle a problem. Other answers mention that two services (or two processes) can't listen on the same port. That's true, but nothing prevents the same server/process to be able to handle multiple sites (Apache Httpd does it very well when the same process listens to multiple ports, e.g. 80 and 443, and does the VirtualHost dispatch in the back).

Coming back to the "possible duplicate question", another solution might have been to use RFC 2817, as mentioned in this answer. Unfortunately, although this answer mentions this RFC, the logs it shows indicate that curl there was not plain HTTP traffic before the SSL/TLS traffic, which would indicate it was using Server Name Indication (SNI) and not RFC 2817. In addition, I'm not aware of any implementation of RFC 2817, whereas curl already had support for SNI at the time of that answer.

Supporting RFC 2817 is much more involved than supporting port unification, since it requires support on both the client and server sides, including the ability to upgrade in the middle of the protocol. (It's not the end of the world, SMTP, LDAP and others can do this, but it's already widely supported for these protocols.)

In contrast, port unification only requires changing the initial dispatch mechanism on the server side. By just specifying the port explicitly in the URL, any browser will support it on the client side.

Community
  • 1
Bruno
  • 4,069
  • 1
  • 20
  • 37
1

It doesn't work. You can only bind one service per port.

mailq
  • 16,882
  • 2
  • 36
  • 66
  • you can, using port unification. – Bruno Dec 19 '11 at 15:08
  • wow, nice corner case. i would avoid it like the plague. – mailq Dec 20 '11 at 00:53
  • It's a bit confusing because it's unusual, but at the end of the day, protocols that use a STARTTLS-like mechanism to upgrade to SSL/TLS within the protocol (as opposed to up-front SSL/TLS) also had for objective to be able to use the same port, and the end-result is quite similar. – Bruno Dec 20 '11 at 01:27
0

When a user agent or a client initiates a HTTPS request it uses the default port which is 443. The default port for HTTP is 80.

If your server is listening on another port (91), then you need to forward port 443 to this port, so when someone types https://www.example.com/, it will point to the server listening on port 91.

You cannot have http://www.example.com/ and https://www.example.com/ running on the same port, since only one process may listen on a port. You can have them listening on the same server, if the server has multiple IP addresses.

If your server will only have the https site then forwarding 443 to 91 and switching your server to HTTPS will work.

Burhan Khalid
  • 415
  • 5
  • 10
  • And then? Server HTTP or HTTPS? – mailq Dec 19 '11 at 07:55
  • "You cannot have http://www.example.com/ and https://www.example.com/ running on the same port, since only one process may listen on a port." This argument doesn't work. Often `http://www.example.com/` and `https://www.example.com/` are indeed listened to by the same process (e.g. Apache Httpd with multiple `Listen` directives). The question here is to have that process dispatch to HTTP or HTTPS correctly, which can be done with port unification. – Bruno Dec 19 '11 at 15:13
  • @Bruno you are right, but I think for the purpose of this question, that would have just confused the situation more. – Burhan Khalid Dec 19 '11 at 16:40
0

Two services can't listen on the same port on the same system using TCP. You can use NAT and route traffic from different locations to different internal addresses on the same port, but an external IP couldn't use both services on the same port.

Community
  • 1
nedm
  • 5,610
  • 5
  • 30
  • 52