Since a single IP can host many web sites, how does the server know which certificate to send?
-
************************************************************* * PLEASE INCLUDE A LETTER IN YOUR ANSWER. * ************************************************************* Which one is true? (only one) a) The Host header is not encrypted because it doesn't contain sensitive information. b) By using a protocol to indicate which service to talk to. c) The server sends a certificate that is not valid for more than one domain. d) The client retries the request with all names for that host until it receives a correct certificate. I assume this has to do with Server Name Indication.
-
Answer:
Currently there are two approaches to this. For much of the last 20-30 years, when connecting to a HTTPs port the first message sent by the browser to the server is the SSL connection request. As part of this request and in establishing the connection, the server will send it's signed certificate to the client for the client to authenticate it has been signed by a known CA. This certificate also contains the domain name which the client will also validate too. If the certificate is signed by a trusted Certificate Authority, contains the domain name it's trying to connect to, and has not expired, the connection can be secured and traffic sent and received. Only once all this has been done and the secure connection established does the HTTP request header get sent which contains the Host: key; the web server will use this to decide which website to serve to you. Because of this its been a requirement that each certificate must be allocated to it's own unique IP address, that address can only serve a single site. Having a different Host header once the connection is established is of no use, as it won't match the certificate. More recently, wildcard certificates have been used. This allows you to create a certificate for *.domain.tld which will allow you to serve www.domain.tld, api.domain.tld, images.domain.tld, etc. from a single certificate and IP address. However, you would not be able to serve www.domain.gtld from the same address: That needs a new certificate and new IP address. To get around this, there is an extension in the TLS protocol (one of the possible methods that can be used to encrypted the SSL tunnel) called SNI (Server Name Identification) in which the client will send the domain name it's requesting in the initial SSL connection request. This allows the server to decide which certificate to send back to establish the secure connection. The rest of the process is the same. The biggest problem with SNI is support: It is not supported by any version of IE on Windows XP, on Android 2.x, iOS earlier than 4.0, and probably a range of simple or embedded devices (for example, media streamers or Smart TV browsers). Until this is near universal then SNI is only useful in fairly closed or tightly controlled environments rather than for more general use.
Jonathan Wright at Quora Visit the source
Other answers
It depends on the procotol. If you use http procotol to visit the website, the server can use the Host header to distinguish which website you want to visit. And as far as I know, one IP can only host one site with https support.
Zhang Peipei
Certificates are for establishing trust after a session has been established. Additionally, particular TCP ports can be used to indicate that a secure connection is requested. I'll guess c), though I've never implemented certificates.
Mark Janssen
Related Q & A:
- How can I force the login to a specific ip address?Best solution by Stack Overflow
- How can I connect a TCP/IP camera to the PC?Best solution by Stack Overflow
- How can we find a job vacancy from Malaysia in web designing field?Best solution by Yahoo! Answers
- How can I earn from working at home without spending a single penny?Best solution by Yahoo! Answers
- How can I turn my dual sub box into a single sub box?Best solution by Yahoo! Answers
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.