4

I have a centos 7 server. I switched from apache 2.4.6 to apache 2.4.25 using IUS repository (https://ius.io/). My goal is to support multiple SSL certificates with a single IP.

I have installed:

  • Apache/2.4.25 (CentOS)
  • httpd24u-mod_ssl-2.4.25-3.ius.centos7.x86_64
  • openssl-1.0.1e-60.el7_3.1.x86_64

Is apache now SNI enabled?

Or do I have to build it from scratch with ./configure --with-ssl=/path/to/your/openssl as in documentation (https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI)?

Thank you for your time.

GeorgeKaf
  • 175
  • 1
  • 1
  • 7

1 Answers1

8

The stock CentOS httpd & mod_ssl packages would already have supported SNI. SNI has been supported by openssl since version 0.9.8f and any httpd since version 2.2.12 built with openssl 0.9.8f and newer automatically will support SNI.

But to check if your httpd and mod_ssl support SNI:

Simply test by configuring name based SSL/TLS virtual hosts and check your error log after restarting (from the apache httpd wiki you already linked to):

How can you tell if your Apache build supports SNI?

If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn't built into your Apache, then upon Apache startup a message like

"You should not use name-based virtual hosts in conjunction with SSL!!"

will occur in the error log.
If SNI is built in, then the error log will show

"[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)".

Alternatively use ldd to confirm that mod_ssl is linked against openssl's libssl and confirm the version:

ldd /usr/lib64/httpd/modules/mod_ssl.so
    linux-vdso.so.1 =>  (0x00007fff323f8000)
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f3d99792000)        <=======
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3d993a8000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3d9918b000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f3d98f87000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f3d98bc6000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f3d98977000)
    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f3d98690000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f3d9848c000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f3d98259000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f3d98043000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f3d99c3d000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f3d97e34000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f3d97c2f000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3d97a15000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f3d977ed000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f3d9758c000)
rpm -qf /lib64/libssl.so.10
openssl-libs-1.0.1e-60.el7_3.1.x86_64
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • 1
    Wish I could upvote twice. I was simultaneously writing an answer, but this already covers everything on it, managing to be more CentOS specific at the same time. – Esa Jokinen May 19 '17 at 08:01
  • #ldd returned "libssl.so.10 => /lib64/libssl.so.10 (0x00007f9dc079a000)". #rpm -qf returned "openssl-libs-1.0.1e-60.el7_3.1.x86_64". So far so good. After systemctl restart httpd error_log had only this warning [Fri May 19 11:17:12.560265 2017] [mpm_prefork:notice] [pid 25788] AH00163: Apache/2.4.25 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations. Is it wrong ? – GeorgeKaf May 19 '17 at 08:23
  • You only get an alert when you have multiple TLS hosts configured on port 443, check your config with `httpd -S` or `apachectl -S` In general *"resuming normal operations"* is good thing – HBruijn May 19 '17 at 08:38
  • The issue is I have already multiple virtualHosts configured in 443 *:443 is a NameVirtualHost default server server1.domain.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost server1.domain.com (/etc/httpd/conf.d/ssl.conf:56) port 443 namevhost site1.com (/etc/httpd/conf/ssl/vhosts/site1.conf:1) port 443 namevhost site2.com (/etc/httpd/conf/ssl/vhosts/site2.conf:1). – GeorgeKaf May 19 '17 at 09:21
  • 1 Domain starting with , all the others starting with . But I don't see the warning nor the examples sites load with https. When I configure one of the examples with ip:443. It works but the second loads the certificate of the first one. – GeorgeKaf May 19 '17 at 09:22
  • I have it up and running a few days now with Apache/2.4.25 from IUS. Couple of things to make sure your setup is correct: 1) Use for all domains with ssl enabled. 2) Clear your browser cache after each change in vhosts files, clear your browser cache after each change in vhosts files and last clear your browser cache after each change in vhosts files (especially if you are using chrome) :) – GeorgeKaf May 23 '17 at 07:42