Apache, SNI(server name indication), and YOU!

SNI ‘Server Name Indication’

Using Multiple SSL Certificates With  apache With One IP Address.

SNI works for either Apache. But in this article we are focusing on Apache. 
SNI is supported in Apache v2.2.12 , and  OpenSSL v0.9.8j or later. SNI supports a transport layer security (TLS) .
Lets Say You are limited to one SSL Certificate per Socket or IP address. This is terribly inconvenient if your isp, or web host will only allow a limited amount of ip’s or only allow a single ip. 
SNI will secure multiple vhosts/sites for either Apache or IIS with a single or even multiple SSL certificates This can be for either multiple domains or multiple sub-domain names.  
 SNI most often is used to apply multiple domains to a single ip address. 
(This is limited to Modern browsers see bellow for details.)

 Apache with SNI Extension Requirements

Required
openssl v 0.9.8j or later
 apache v2.2.12 or later
mod_ssl
OS’s that support SNI from scratch
Redhat enterprise Linux 6.x and later SNI ready
Fedora 10 and later SNI ready
Centos 6.x SNI ready
Debian 6.x and later SNI ready  
Ubuntu 10.04 and later SNI ready
  
OS’s that need Apache, openssl, mod_ssl to be compiled with proper versions:
 Redhat enterprise Linux5.x
 Centos 5.x 

 

Setup 

 Check mod_ssl is installed:

(rehl, centos, fedora) yum list installed| grep mod_ssl
 (debain, ubuntu) dpkg -s apache2.2-common or dpkg -s apache2-common

If it is not:
(rehl, centos, fedora) yum install mod_ssl

 (debain, ubuntu) apt-get install  apache2.2-common or apt-get install  apache2-common. Then enable the module:
 a2enmod ssl; /etc/init.d/apache2 reload

Using unsupported browsers.

 If you test on a browser that is unsupported it will load the SSL Cert of the first vhost that apache parses (loads). 
You can disable this by adding the following line to your apache conf file (apache2.conf, or httpd.conf):
SSLStrictSNIVHostCheck on
This will cause a 403 error for unsupported browsers.  
 
Setting up vhosts:
 This article assumes you know your where your OS keeps it’s vhost file or where you put your vhost configuration. 
In your root apache conf file (apache2.conf or httpd.conf) add the following:
NameVirtualHost *:443
 
In your vhost conf file for each site you will need to add your virutalhost config 
to the bottom of vhost file:
(rember this is just an example)
 
<VirtualHost *:443>
ServerAdmin webmaster@localhost
 
DocumentRoot /my/doc/root
ServerName mydomain.com
SSLEngine On
SSLCertificateFile /path/to/domain.crt
SSLCertificateKeyFile /path/to/domain.key
</VirtualHost
You can test this with a self-signed certificate if you want.   
openssl req -new -nodes -keyout mykey.key -out mycert.cer -days 3650 -x509

You’ll need to specify the domain name you want in the “Common Name” section.

restart apache and you are golden.

 BROWERS

SNI is a newer Technology and most Browsers support it. However it does not work in either IE6. Or any Windows XP browser except for chrome 6 and later. 

Desktop Browsers

  • Internet Explorer 7 and later
  • Firefox 2 and later
  • Opera 8 with TLS 1.1 enabled
  • Google Chrome:
        Supported on Windows XP on Chrome 6 and later
        Supported on Vista and later by default
        OS X 10.5.7 in Chrome Version 5.0.342.0 and later
  • Chromium 11.0.696.28 and later
  • Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
  • Note: No versions of Internet Explorer on Windows XP support SNI

Mobile Browsers

  • Mobile Safari for iOS 4.0
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7

This is a very basic instruction to setting up SNI.
For *Much* more detailed instructions goto the Following Rackspace Knowledge Base Article:
http://www.rackspace.com/knowledge_center/article/serving-secure-sites-with-sni-on-apache

jim has written 83 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>