On my previous post about wildcard ssl I was complaining that you have to use a different ip for each domain that needs ssl/https and I wondered why there is no TLS feature like there is in SMTPS where you have STARTTLS. Well it seems I was wrong. There is such a feature, actually there are two different features one is described in RFC2817 and the other in RFC3546. Rfc 2817 specifies how a plain text connection can be "upgraded" to a secured connection over SSL:

This allows unsecured and secured HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443). It also enables "virtual hosting", so a single HTTP + TLS server can disambiguate traffic intended for several hostnames at a single IP address

RFC 3546 various extensions to TLS and one of them is an extension for server name indication . This extension will allow a client to tell the server which domain is contacting.
That's just great, but there's one problem. Not only that few web server software implement any of the two rfcs but also few web browsers support them.

Apache implements rfc 2817 in mod_ssl since version 2.1 and mod_gnutls implements the server name indication extension in TLS described in rfc 3546.
It seems that IE7 has support for RFC 3546 and firefox may have support for rfc 2817.

4 thoughts on “TLS for HTTP

  1. Firefox 2 has lready support RFC 3546. Check here,

    mozilla people planed TLS NSI support . After knowing IE7 would support this, they accelerated they development and implemented in NSS v3.11 (initially they planed this support in NSS v3,12). Check here,

    They plan to support RFC 2817 with firefox v3.

    On the server side, apache v2.2 has built-in support for RFC 2817. The third-party module, mod_gnutls, adds RFC 3546 support to both apache v2.0 and apache v2.2. Check here,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.