.. not sure if this reqd in place of (or together with) mod_ssl
On wheezy, the libapache2-mod-gnutls pkg (provides apache2 module named gnutls) is bug-ridden and best avoided .. the standard build of apache2, openssl and modssl support SNI .. good to know
Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.
To make use of SNI practical, the vast majority of users must use web browsers that implement it. Users whose browsers do not implement SNI are presented with a default certificate and hence are likely to receive certificate warnings, unless the server is equipped with a wildcard certificate that matches the name of the website.
Server Name Indication. To make use of SNI practical, the vast majority of users must use web browsers that implement it. Users whose browsers do not implement SNI are presented with a default certificate and hence are likely to receive certificate warnings, unless the server is equipped with a wildcard certificate that matches the name of the website. Background of the problem When making a TLS connection the client requests a digital certificate from the web server; once the server sends the certificate, the client examines it and compares the name it was trying to connect to with the name(s) included in the certificate.
If a match occurs the connection proceeds as normal. It is possible for one certificate to cover multiple hostnames. Name-based virtual hosting allows multiple DNS hostnames to be hosted by a single server (usually a web server) on the same IP address. In practice, this means that an HTTPS server can only serve one domain (or small group of domains) per IP address for secured browsing. Apache 2.2 - Multiple SSL domains on the same IP address and same port?
Serving Secure Sites With SNI On Apache. What is SNI SNI (Server Name Indication) is an extension to SSL that allows multiple SSL-enabled Web sites to be served from a single IP address and port (443). While it requires visitors to use more recent browser versions, it helps get around the problem of requiring separate IP addresses for every secure site hosted on the same Web server. For our example we'll set up two sites with SSL: secure1.example.com and secure2.example.com. Both sites will be served by the same IP address. We'll also set up an unsecured site, www.example.com, for contrast and testing purposes. Pre-requisites We'll use the Apache Web server with mod_ssl and OpenSSL for this article. If you are using Ubuntu 10.04 (or newer) or Fedora 10 (or newer) on your server the Apache and OpenSSL packages that ship with these distributions support SNI already. If you're compiling Apache yourself, note that SNI is supported in Apache versions 2.2.12 and newer.
Browsers How-to Apache set-up Listen 443.
NameBasedSSLVHostsWithSNI. Summary Using name-based virtual hosts with SSL adds another layer of complication. Without the SNI extension, it's not generally possible (though a subset of virtual host might work). With SNI, it's necessary to consider the configuration carefully to ensure security is maintained. (Note: this page is just about support that comes with the Apache web server. Alternatives such as mod_gnutls are another topic.) The Problem The problem with using named virtual hosts over SSL is that named virtual hosts rely on knowing what hostname is being requested, and the request can't be read until the SSL connection is established. While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.
Server Name Indication Prerequisites to use SNI Scenarios. 11.2. Web Server (HTTP) The Falcot Corp administrators decided to use the Apache HTTP server, included in Debian Wheezy at version 2.2.22. 11.2.1. Installing Apache By default, installing the apache2 package causes the apache2-mpm-worker version of Apache to be installed too. The apache2 package is an empty shell, and it only serves to ensure that one of the Apache versions is actually installed. The differences between the variants of Apache 2 are concentrated in the policy used to handle parallel processing of many requests; this policy is implemented by an MPM (short for Multi-Processing Module). The Falcot administrators also install libapache2-mod-php5 so as to include the PHP support in Apache. Apache is a modular server, and many features are implemented by external modules that the main program loads during its initialization. 11.2.2.
A virtual host is an extra identity for the web server. Each extra virtual host is then described by a file stored in /etc/apache2/sites-available/. Example 11.16. 11.2.3.