Forum Discussion
hooleylist
Aug 10, 2010Cirrostratus
Hi Matt,
I think having a more detailed understanding of the SSL handshake process would help you see why this isn't possible. Here is a page from IBM that describes in text and a nice diagram the SSL handshake process:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.csqzas.doc/sy10660_.htm
The server sends its cert in the server hello message. The client's user agent checks the subject of the cert against the hostname that the user made a request to. If they don't match, the user agent typically generates a warning to the user stating that the cert cert doesn't match (or isn't correctly recognized for chaining issues) before the SSL handshake is complete. If the user doesn't opt to proceed, the user agent closes the connection. Only after the SSL handshake is complete does the client send the HTTP headers which tell the server what HTTP host the client has requested.
So there isn't a way for the server to attempt decryption, check if it fails and force the client to retry. If you need to decrypt only selective traffic by host name, you could change the DNS records so that each hostname you want to pass through encrypted points to a different IP address than the hostname(s) you want to decrypt the traffic for. Or you could decrypt all of the traffic and re-encrypt the traffic that requires serverside SSL.
Aaron