In comp.infosystems.www.servers.unix,
David <da...@55952163-3189045.bogus.domain.invalid> wrote:
> I have a feeling that I may be rather stuck in the catch-22 situation that
> the server does not know which https site has actually been requested until
> it has started to negotiate the secure connection, and therefore is
> returning the certificate (and content) for the default https site
> regardless?
Exactly. Whenever possible, use separate IP addresses for each HTTPS site
to avoid this possibility.
> Is there any way that I can prevent https content from being (attempted to
> be) served for the non-https sites?
No.
> Would Server Name Indication (SNI) (and 'empty' https sites for the
> http-only sites, or something in the config for these virtual hosts to
> 'unlisten' on the https port?)) help at all? Our Apache supports SNI, but
> there is still the risk that a reasonable proportion of client browsers and
> OSes may not, unfortunately.
SNI would help, probably help a lot, but it won't be perfect. I'd guess more
than 50% of the time, but less than 95%, of clients would benefit.
Elijah
------
has, so far, been able to use separate IP addresses for all his https needs