Cool Stuff

How to run Apache 2.2.x with multiple SSL certificates via one IP

Leave a comment

I never thought that could be a problem. Well after digging around for HTTP+SSL (multiple certificates) and after understanding how it works, yes this is definitely a problem :-).

But there is light at the end of the tunnel called SNI (Server Name Indication). SNI is an extension for TLS .

The idea behind SNI is that the clients domain name request is deferred until the certificate is exchanged between the the two parties . This gives the server the change to switch to the right named virtual host :-)…. yeah thats cooooool.

See here RFC3546 (Section 3.1) for an in deep description.

SNI works with (according wikipedia):

  • Mozilla Firefox 2.0 or later
  • Opera 8.0 or later (the TLS 1.1 protocol must be enabled)
  • Internet Explorer 7 (Vista or higher, not XP) or later
  • Google Chrome (Vista or higher. XP on Chrome 6 or newer[7]. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
  • Safari Safari 3.2.1 and newer on Mac OS X 10.5.6 and Windows Vista or higher, not XP
  • Any Apple iDevice running iOS4 has support for TLS server name indication.
  • Android

If you want to use SNI for your server you have to put your *.443 hosts configs into one file.

view source
print?
01Listen 443
02 
03NameVirtualHost *:443
04 
05# Also accept connections from none SNI capable hosts
06SSLStrictSNIVHostCheck off
07 
08# This is our default virtual host.
09 DocumentRoot /www/blub1
10 ServerName www.blub1.at
11 
12# Other directives here
13 
14DocumentRoot /www/blub1
15 ServerName www.blub.at
16 
17# Other directives here

 

have fun

Mario

(Visited 113 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.