2

From the Apache 2.4 docs:

The first (default) vhost for SSL name-based virtual hosts must include TLSv1 as a permitted protocol, otherwise Apache will not accept the SNI information from the client and it will be as if the client did not support SNI at all.

I want to have multiple TLS enabled sites on my server, each giving a different certificate. For security reasons, I only allow TLSv1.1 and TLSv1.2. Is there a secure way to turn on SNI?

A snippet from my config:

<VirtualHost *:80>
    ServerName www.example.com
    Redirect permanent / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    DocumentRoot /var/www/example.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    [other SSL options]
</VirtualHost>

<VirtualHost *:80>
    ServerName www.example.org
    Redirect permanent / https://www.example.org/
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.org
    DocumentRoot /var/www/example.org
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    [other SSL options]
</VirtualHost>
nullUser
  • 236
  • 1
  • 7

1 Answers1

1

The wiki is contrasting TLSv1 from earlier protocols, not later protocols. SNI works fine with TLSv1.1 and TLSv1.2.

covener
  • 1,685
  • 9
  • 15
  • So you mean it should read "TLSv1 OR LATER" indicating a TLS level must be present. – TomTom May 23 '16 at 13:42
  • In a sense yes. It just requires TLS extensions which are TLS1.0 and later only. TLSv1 is ambiguous, but in a doc that talks about an openssl .9.8 prerequisite take it with grain of salt. (Tried to edit the wiki, but it's notoriously slow.) – covener May 23 '16 at 13:49