0

The Apache httpd documentation says that name based virtual hosts don't work with SSL. But our sites are working in a configuration like that!

In site1.conf, we have

<VirtualHost *:443>
    ServerName                  site1:443
    DocumentRoot                /var/www/site1
    ErrorLog                    /var/log/apache2/site1.error.log
    TransferLog                 /var/log/apache2/site1.access.log

    SSLEngine                   on
    SSLCipherSuite              ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateFile          /etc/apache2/keys/trac.crt
    SSLCertificateKeyFile       /etc/apache2/keys/trac.key
    SetEnvIf                    User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
...
</VirtualHost>

The other site is almost identical, but with site2 instead of site1. As far as I can tell, we are either very lucky, or I don't understand the documentation. The two URLs work, and they serve different content via HTTPS.

Could someone please shed some light?

Michael
  • 105
  • 1
  • 5
  • This has been answered here a few times -- I thought I had it in my favorites but I don't. Look around on here (or google) for SSL SNI (Server Name Indication) & if you turn up the ServerFault question where it got discussed in detail let me know so I can star it :-) – voretaq7 Oct 27 '10 at 17:57
  • The docs for v2.2 at http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2 mention this: "It is possible, but only if using a 2.2.12 or later web server, built with 0.9.8j or later OpenSSL. This is because it requires a feature that only the most recent revisions of the SSL specification added, called Server Name Indication (SNI)." – Xhantar Oct 27 '10 at 19:07

2 Answers2

2

The more recent versions of apache support Server Name Indication (SNI), which allows name-based virtual hosting of HTTPS. For SNI to work, the client browser software needs to be SNI-capable, but unfortunately, not all browsers are (most notably Internet Explorer on WinXP).

Steven Monday
  • 13,599
  • 4
  • 36
  • 45
  • The SNI Problems for Windows users extend to Mozilla & I believe Chrome as well - IIRC something to do with the SSL library shipped in XP. Works in Vista or later though. – voretaq7 Oct 27 '10 at 18:07
1

SSL will work, but unless you have a wildcard cert and the sites are both covered by that cert, the client will be prompted that the certificate name doesn't match one or both of the sites.

If you are using self-signed certs, then this is usually a moot point because the client will be prompted about that anyhow.

It IS possible to serve multiple secure NameVirtualHosts from the same apache server by either giving them separate IP addresses, or by using a wildcard certificate where they share domains.

Brent
  • 22,857
  • 19
  • 70
  • 102