[CLUE-Tech] apache ssl only on non-well-known port?

[Angelo Bertolli]

> The SSL key exchange happens before any HTTP data is exchanged.

And therefore it is impossible for the server to know which domain name
you are using before the SSL is set up?  Well that's understandable, but
after the SSL connection is set up, couldn't we still decide on which
virtual host to use?

> The SSL keys are issued to specific hosts (unless you issue your own).
> Therefore the SSL key has to match the hostname that is using that key.
> The browser uses information in the key (common name) to compare with
> the servername that was in the URL; if they don't match it throws an
> error dialog box up.

We use our own key, but we are given a certificate by a trusted third
party.  It would be nice if certificates were valid for "anything at that
IP address" but maybe this would compromise some security.

> With SSL the server returns information (the key) as part of the key
> exchange before the browser can tell it what site it wanted to connect.

But that's not really the beginning of an HTTP session is it?  Shouldn't
we be able to start a regular encrypted HTTP session that doesn't know
anything about the SSL that is being used?

Angelo