SSL是否可以在一个IP上进行虚拟主机？ [英] Is SSL possible with virtual hosting on one IP?

问题描述

一个赞成的SO答案声称：

An upvoted SO answer claims:

[SSL]打破基于名称的虚拟主机。使用SSL，它是一个站点 - 一个IP地址。

[SSL] breaks name based virtual hosting. With SSL, it's one site - one IP address.

这是真的吗？提供SSL证书的共享主机是否租用整个IP范围？

Is that true? Does shared hosting that offers SSL certificates lease whole IP ranges?

推荐答案

使用SSL，服务器始终在发送应用程序数据之前进行身份验证。 HTTP请求的主机标头是应用程序数据。因此，一般情况下，您不能将HTTPS与虚拟主机配合使用。

With SSL, the server is always authenticated before application data is sent. The "Host" header of the HTTP request is application data. So, in general, you can't use HTTPS with virtual hosting.

但是，如果一方控制虚拟托管的所有网站，则可以使用单个证书创建，列出主题备用名称扩展名中的所有虚拟主机名。要强调的是，由于只有一个密钥对，因此使用单个私钥对所有主机进行身份验证。此密钥应由单个所有者控制。

However, if one party controls all of the sites that are hosted virtually, a single certificate can be created that lists all of the virtual host names in the "subject alternative name" extension. To emphasize, since there is only one key pair, a single private key is used to authenticate all of the hosts. This key should be controlled by a single owner.

或者， Sripathi Krishnan 指出 TLS扩展（目前在RFC 6066中指定），允许浏览器向服务器提示哪个服务器证书出现在第一次握手完成。但是，此扩展程序并未得到普遍支持。

Alternatively, Sripathi Krishnan pointed out that there is a TLS extension (currently specified in RFC 6066) that allows the browser to hint to the server which server certificate to present before the first handshake is completed. However, this extension is not universally supported.

这篇关于SSL是否可以在一个IP上进行虚拟主机？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！