What is the technology behind Hostname Based SSL (multiple ssl vhosts on single IP)?

Well known PaaS provider Heroku offers multiple solutions to SSL problem. One of those is a product called Hostname Based SSL

This is not SNI. They claim it works on every browser in any configuration but has other drawbacks, mainly (quoting the docs):

  • Hostname based SSL will not work with root domains as it relies on CNAME aliasing of your custom domain names.

  • Hostname SSL works with one domain only. For example, www.domain.com would work, but if a second certificate for secure.domain.com is added to the application it will not work.

  • Our hostname-based SSL offering currently strips some HTTP headers; this can be a problem when your app needs to look at the IP of the client, for instance.

Using this custom build solution Heorku can serve multiple SSL sites on a single IP address and as they claim it will work across anything.

Can anyone explain technical side of this solution and technology behind this product?


Solution 1:

It's not quite what you think. Heroku is not serving up multiple SSL certs on a single IP address. If you perform an nslookup against different Hostname SSL deployments, for example, you will find that they each point to a different Amazon ELB. Therein lies the secret sauce.

When a customer requests Hostname-based SSL, an ELB is provisioned for them and the customer is asked to CNAME to that ELB's hostname. Those ELBs connect back into the Heroku routing mesh as appropriate.

I hope that clears some things up. Feel free to ask more questions.