A small piece of crypto news.
Since HTTP 1.1, the technique of “virtual hosting” – having multiple websites on the same IP address – has been extremely widespread. This is done by sending a “Host:” header in the initial HTTP connect, which tells the server which site you want.
However, it’s not possible to do the same trick with SSL, because at the time you create the SSL connection, the HTTP exchange has not happened, so the webserver doesn’t know which certificate to send. The fix is SNI (server name indication), as defined in RFC 3546, a way of putting the host info in the SSL handshake.
SNI is supported in Firefox 2, IE 7 on Vista, Opera 7.6+ and other modern browsers. For Apache, mod_gnutls supports it, but not mod_ssl (OpenSSL). I’m not sure about IIS.
Now the news: Steven Henson recently backported the SNI support in OpenSSL 0.9.9-dev to 0.9.8 (the stable version). This should speed up the day when SNI support is available in stable releases of Apache. Sadly, it’ll probably still be a while before it can be used on the public web, because the SSL improvements for IE 7 are only provided on Vista. :-(