How to run Apache 2.2.x with multiple SSL certificates via one IP

I never thought that could be a problem. Well after digging around for HTTP+SSL (multiple certificates) and after understanding how it works, yes this is definitely a problem :-).

But there is light at the end of the tunnel called SNI (Server Name Indication). SNI is an extension for TLS .

The idea behind SNI is that the clients domain name request is deferred until the certificate is exchanged between the the two parties . This gives the server the change to switch to the right named virtual host :-)…. yeah thats cooooool.

See here RFC3546 (Section 3.1) for an in deep description.

SNI works with (according wikipedia):

  • Mozilla Firefox 2.0 or later
  • Opera 8.0 or later (the TLS 1.1 protocol must be enabled)
  • Internet Explorer 7 (Vista or higher, not XP) or later
  • Google Chrome (Vista or higher. XP on Chrome 6 or newer[7]. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
  • Safari Safari 3.2.1 and newer on Mac OS X 10.5.6 and Windows Vista or higher, not XP
  • Any Apple iDevice running iOS4 has support for TLS server name indication.
  • Android

If you want to use SNI for your server you have to put your *.443 hosts configs into one file.

Listen 443

NameVirtualHost *:443

# Also accept connections from none SNI capable hosts
SSLStrictSNIVHostCheck off

# This is our default virtual host.
 DocumentRoot /www/blub1
 ServerName www.blub1.at

# Other directives here

DocumentRoot /www/blub1
 ServerName www.blub.at

# Other directives here

 

have fun

Mario

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.