example1.com and example2.com allow host0. host0 starts the Apache reverse proxy with two VirtualHosts. It delegates requests for example1.com on host1 and example2.com on host2.
Using http in all places, this can clearly be made to work.
Using https, I could use the keys for example1.com and example2.com on host0, and then talk to host h0 or https on host1 and host2. Given SNI, this should work too.
My question is: is it possible to get example1.com or example2.com to work without keys on host0? I would like to avoid the fact that host0 can execute a man in the middle attack.
If I understand SNI correctly, key material is exchanged only after the client passes the desired virtual host host0. This should be (?) Sufficient information for Apache to substantially forward the connection to host1 or host2, without looking at all at all for the contents of the transfer. This does not require key material at all.
source
share