Login/Register
How can I setup different SSL-Certificates for vhosts on Apache?
Asked Answered
Solved apachesslvirtual-hosts
B

6

8

I have a web-server, that serves different domain-names, but has only one IP-address assigned. That works fine with virtual hosts in Apache. Now I want SSL-encrypted connections for the websites. How can I set different SSL-certificates for the different vhosts?

Using different IP's for the different hostnames would be an solution - not very elegant but possible. But I want to know, how I can use different SSL-certificates for different vhosts. So I look for a solution with only one IP-address.

Brom answered 9/11, 2008 at 17:6 Comment(0)
F
8

UPDATE: 2013

It appears that SNI is finally beginning take hold as older browsers are falling away. Here are the docs for Apache SNI and here is a wikipedia article on SNI that includes a chart on browsers that support it. In short, all the major browsers support it in supported versions; if supporting older browsers is important, you may have to take that into consideration.

------ previous answer ------------

SSL Hosts must be tied to a unique IP address/port combination, thus you cannot use virtual hosting (Or at least, it can only have one ssl host per IP address). This is due to the fact that https begins encryption before the Host: parameter is sent in http, and thus it cannot determine which cipher to use from the hostname - all it has is the IP address.

This would be silly easy to fix if HTTP had a TLS command so it could start SSL after asking for the hostname, but no one asked me.

For the definitive answer, see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

Firenew answered 9/11, 2008 at 17:16 Comment(2)
Actually, there is RFC 2817 now, which does allow to TLS-upgrade in a HTTP connection. It's implemented in Apache.Respite
But do browsers support it yet?Firenew
B
4

After hints in the answers given and comments to it (especially by Martin v. Löwis) I did some googling and found this website about RFC 2817 and RFC 3546. RFC 3546 seems to be a good solution.

Brom answered 9/11, 2008 at 18:1 Comment(0)
P
2

AFAIK it's not possible to set up different SSL certificates for name-based virtual hosts using mod_ssl. You can read the detailed reason here. An alternative would be using IP based virtual hosts (Which is probably not possible / not a very satisfying solution) - just insert different SSLCertificateFile directives, or you could try this method using mod_gnutls.

Protractile answered 9/11, 2008 at 17:25 Comment(1)
Wow, that RFC for SNI was started in 2003 and yet it still hasn't caught on? I'm intrigued by the claim that the browsers already support it though.Firenew
D
1

You will need a separate IP:port combination for each vhost.

RFC 3546 is not feasible yet. IE only supports it when running under Vista, and last I checked Safari doesn't manage it either.

Davidadavidde answered 10/11, 2008 at 0:31 Comment(2)
Yes, the browsers supporting this feature are restricted, but it is one possible solution. A pity, that no 'right' solution exists. RFC 3546 seems the best hope for a good solution. For the time you must order more IP's or restrict the browsers.Brom
Yes, or the ugly temporary solution of running on a different port. RFC3546 will happen, but that day is still unfortunately a long way off.Davidadavidde
P
1

While everything DGM mentioned is true, there have been some attempts to get around the requirement for a unique IP address for every certificate including mod_gnutls and using TLS extensions. There are some drawbacks but they may be acceptable to you.

Paronym answered 10/11, 2008 at 14:4 Comment(0)
D
1

Finally it's possible! You need both server and client to support Server Name Indication (SNI)

Browsers, that support SNI:

  • Mozilla Firefox 2.0 or later
  • Opera 8.0 or later (with TLS 1.1 enabled)
  • Internet Explorer 7.0 or later (on Vista, not XP)
  • Google Chrome
  • Safari 3.2.1 on Mac OS X 10.5.6

This doc shows hoe to configure your server: SSL with Virtual Hosts Using SNI

Disagreement answered 13/2, 2013 at 14:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.