background preloader

Support SNI (svr name inc)

Facebook Twitter

Apache 2.2 supports SNI .. as standard ..

do we need the module/pkg: libapache2-mod-gnutls ?

.. not sure if this reqd in place of (or together with) mod_ssl

On wheezy, the libapache2-mod-gnutls pkg (provides apache2 module named gnutls) is bug-ridden and best avoided .. the standard build of apache2, openssl and modssl support SNI .. good to know


some background:
================
Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.

To make use of SNI practical, the vast majority of users must use web browsers that implement it. Users whose browsers do not implement SNI are presented with a default certificate and hence are likely to receive certificate warnings, unless the server is equipped with a wildcard certificate that matches the name of the website.

Server Name Indication. To make use of SNI practical, the vast majority of users must use web browsers that implement it.

Server Name Indication

Users whose browsers do not implement SNI are presented with a default certificate and hence are likely to receive certificate warnings, unless the server is equipped with a wildcard certificate that matches the name of the website. Background of the problem[edit] Apache 2.2 - Multiple SSL domains on the same IP address and same port?

Test browser sni capability

Serving Secure Sites With SNI On Apache. What is SNI SNI (Server Name Indication) is an extension to SSL that allows multiple SSL-enabled Web sites to be served from a single IP address and port (443).

Serving Secure Sites With SNI On Apache

While it requires visitors to use more recent browser versions, it helps get around the problem of requiring separate IP addresses for every secure site hosted on the same Web server. For our example we'll set up two sites with SSL: secure1.example.com and secure2.example.com. Both sites will be served by the same IP address. We'll use separate SSL certificates for each site. We'll also set up an unsecured site, www.example.com, for contrast and testing purposes. Pre-requisites We'll use the Apache Web server with mod_ssl and OpenSSL for this article. If you are using Ubuntu 10.04 (or newer) or Fedora 10 (or newer) on your server the Apache and OpenSSL packages that ship with these distributions support SNI already. If you're compiling Apache yourself, note that SNI is supported in Apache versions 2.2.12 and newer. Browsers.

Detect if server is using SNI

NameBasedSSLVHostsWithSNI. Summary Using name-based virtual hosts with SSL adds another layer of complication.

NameBasedSSLVHostsWithSNI

Without the SNI extension, it's not generally possible (though a subset of virtual host might work). With SNI, it's necessary to consider the configuration carefully to ensure security is maintained. (Note: this page is just about support that comes with the Apache web server. Alternatives such as mod_gnutls are another topic.) The Problem The problem with using named virtual hosts over SSL is that named virtual hosts rely on knowing what hostname is being requested, and the request can't be read until the SSL connection is established.

While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them. 11.2. Web Server (HTTP) The Falcot Corp administrators decided to use the Apache HTTP server, included in Debian Wheezy at version 2.2.22. 11.2.1.

11.2. Web Server (HTTP)

Installing Apache By default, installing the apache2 package causes the apache2-mpm-worker version of Apache to be installed too. The apache2 package is an empty shell, and it only serves to ensure that one of the Apache versions is actually installed. The differences between the variants of Apache 2 are concentrated in the policy used to handle parallel processing of many requests; this policy is implemented by an MPM (short for Multi-Processing Module). The Falcot administrators also install libapache2-mod-php5 so as to include the PHP support in Apache. Apache is a modular server, and many features are implemented by external modules that the main program loads during its initialization. 11.2.2. A virtual host is an extra identity for the web server. Each extra virtual host is then described by a file stored in /etc/apache2/sites-available/.