Limit SSL to only one virtual host domain

I'm no expert, but I don't think that what you're attempting is possible due to the way TLS/SSL works.

When you make a TLS request, the server doesn't yet know which domain the client is after, because the request for the domain itself is encrypted. Like I said, I'm no expert, so I'm having a hard time explaining it, but it basically works like this:

User types http://www.domain.com into the address bar of his browser.

Browser finds out what www.domain.com resolves to, let's say it's 1.2.3.4

Browser connects to server at 1.2.3.4, port 80, request contents of www.domain.com

Server responds.

Now, an encrypted connection:

User types https://ssl.domain.com.

Browser finds it's 1.2.3.4.

Browser connects to server at 1.2.3.4, port 443.

Browser requests an encrypted channel with server.

Server responds, all subsequent communication takes place on the encrypted channel.

Browser requests contents of ssl.domain.com.

Server responds.

See, since the encryption starts before the browser asks for a specific domain, the connection cannot be refused, by design.

The only way to achieve what you want, that I know of, is to add another IP and have the server listen to encrypted requests on that IP only.

Hope that makes sense.

edit: I went to WP to see if I could find an article that would explain the problem better, and I found there is a solution to the issue, it's called Server Name Indication, but the page says that it doesn't work with IE in XP, so it's not really that useful at this point.

Hmm…I was suspecting this was the case.

Thanks for your confirmation.

Buck a month for another IP address.

Note that while you can't stop the SSL connection to your domain from forming at the network layer (e.g., the SSL negotiation itself), I believe you should be able to configure your web server to reject certain virtual hosts if accessed over the SSL connection at a higher layer, no differently than if an invalid virtual host was received over a regular connection.

E.g., just don't define a virtual domain www.domain.com as listening on the SSL socket (and don't have a default domain on that socket either). Or define such a domain, but have it do some action to indicate why things are failing (a dummy page or whatever).

And of course, if your SSL certificate is just for ssl.domain.com, then your client's are likely to get browser warnings anyway when trying to connect at www.domain.com, which may further discourage attempting secure connections to that name.

It's not the same as refusing the network connection entirely, but perhaps just as suitable for your purposes.

– David

SSL requests to any other subdomain will fail automatically, i.e. most browsers will display a big scary warning instead of the requested page. If you find that your users regularly ignore such warnings, you can put a few rules in your .htaccess file (or in your webserver configuration) to enforce a specific $HTTP_HOST.

Right, but a client warning won't prevent a connection if the client proceeds anyway, which is what I think the OP was looking to do. So yes, you'd want to take explicit configuration steps on the server to refuse unexpected virtual hosts on the SSL port.

– David

Until Server Name Indication will become widespread, the SSL certificate is being presented before client asks for a host.

So, while you can have more than one vhost, you can have only one certificate.

In other words, even if you set up server to reject access on the basis of HTTP_HOST, it'll look like

User: https://nossl.example

Browser: WARNING, certificate issued for sslenabled.example, do you want to continue?

User: Yes

Server: Really, for now the rule is "one HTTPS per IP". Except when you have a wildcard cert and use SSL for many sub-domains.