On Dec 11, 2008, at 8:25 PM, Lisa Kachold wrote:

> It's just as easy to set the server hostname and ip address staticly  
> to a standard hosts file?  Name based virtualhosting still works!
>
>
> For 443 certificate based virtuals, you MUST have your SSL cert FQDN  
> match the csr, and crt.

Kinda.  You can't really do name-based virtual hosting w/ SSL, at  
least not with openssl as I know it.  SSL vhosts in Apache are based  
on IP address only.

When doing https, the SSL key negotiation between client & server  
happens before the client tells the server what resource/page/image it  
wants.  Apache won't know what site you want to view until after this  
has been done.  The IP address is about all Apache has to go on when  
selecting which certificate to use to decrypt the client's request.   
This is why you can't have more than 1 SSL site on the same IP:port.   
I believe that if you set up an SSL VirtualHost with a ServerName  
parameter, Apache resolves that name into an IP at startup time, and  
uses that IP address to determine when to serve content from that  
virtual host.

Putting '127.0.0.1 www.yoursite.com' in /etc/hosts messes up this  
process.   That's what prompted my reply to your initial email.   
Apache won't try to use your certificate because it hasn't received a  
request for 127.0.0.1.  Most likely, your request will be handled by  
the default vhost, which will try to speak plaintext http to a client  
expecting https, and you'll get weird client errors containing a bunch  
of hex garbage.

alex