What is the technology behind Hostname Based SSL (multiple ssl vhosts on single IP)?
Well known PaaS provider Heroku offers multiple solutions to SSL problem. One of those is a product called Hostname Based SSL
This is not SNI. They claim it works on every browser in any configuration but has other drawbacks, mainly (quoting the docs):
Hostname based SSL will not work with root domains as it relies on CNAME aliasing of your custom domain names.
Hostname SSL works with one domain only. For example, www.domain.com would work, but if a second certificate for secure.domain.com is added to the application it will not work.
Our hostname-based SSL offering currently strips some HTTP headers; this can be a problem when your app needs to look at the IP of the client, for instance.
Using this custom build solution Heorku can serve multiple SSL sites on a single IP address and as they claim it will work across anything.
Can anyone explain technical side of this solution and technology behind this product?
Solution 1:
It's not quite what you think. Heroku is not serving up multiple SSL certs on a single IP address. If you perform an nslookup against different Hostname SSL deployments, for example, you will find that they each point to a different Amazon ELB. Therein lies the secret sauce.
When a customer requests Hostname-based SSL, an ELB is provisioned for them and the customer is asked to CNAME to that ELB's hostname. Those ELBs connect back into the Heroku routing mesh as appropriate.
I hope that clears some things up. Feel free to ask more questions.