How to setup Apache NameVirtualHost on SSL?

apache-2.2 ubuntu

Using multiple host names on the same Apache Httpd server (and any HTTPS server for that matter) poses two problems:

  • For the connection to be secure, the client must first verify the server certificate.
  • If there are multiple certificates available to the server, the server must be able to get which certificate to pick from the client request.

HTTPS is HTTP over SSL/TLS: the SSL/TLS handshake, which establishes the secure tunnel, is started by the client just after creating the TCP connection, before any HTTP exchange is made. All the subsequent HTTP traffic of the HTTPS exchange is done over this SSL/TLS connection.

The server certificate is sent by the server as part of the SSL/TLS handshake. The verification process relies on (a) verifying the certificate is trusted and (b) verifying it was issued for the server the client intended to contact. There are more details in this answer on StackOverflow.

In HTTP, the requested host name is sent in the HTTP Host header. This is how name-based virtual hosts work: the dispatch is done based on the Host header internally within Apache Httpd.

However, the HTTP Host header isn't available to Apache Httpd before the SSL/TLS has completed successfully. Thus, it's not available before the server certificate has been sent.

There are two ways to help Apache Httpd choose which certificate to use during the handshake, without relying on any HTTP traffic:

  • Using a certificate per IP address/port combination. This is the traditional way.
  • Using the Server Name Indication extension of SSL/TLS, send during the SSL/TLS handshake, which establishes the secure tunnel. The problem with this option is that not all browsers support it. In particular, it's not supported on any version of IE on XP (and some mobile browsers, I think).

If you cannot use SNI or have multiple IP addresses on your server, you could use a certificate that is valid for all the host names that you want to serve. This can be done by using:

  • a certificate issued to a wildcard name (but their usage is discouraged), or
  • a certificate with multiple Subject Alternative Name DNS entries. This should be your preferred option.

If you really want to try SNI, it should work with a recent-enough version of Apache Httpd 2, using a recent-enough version of OpenSSL (if using mod_ssl as provided with the main code base). This is documented here: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI


The SSL warning is about name-based SSL sites. Traditional SSL encrypts the connection before HTTP traffic is sent, it encrypts the TCP connection rather then the HTTP session, if I'm not mistaken. Since virtual hosts are selected within the HTTP protocol, and the server needs to set up a secure connection before http is utilized, you are able to choose only one certificate per IP/port combination. By default, the defualt ssl site.

This changed because you now can use TLS (gnutls) for encryption, which is in fact 'new version' of SSL and allows name-based encryption. This is however not supported on older operating systems and browsers, like Windows XP.

It is possible if you use firefox or chrome on XP instead of IE it works just fine.

If you want it to work anytime, configure multiple IP's and/or ports for SSL versions of websites. If you have only one website that needs SSL no further configuration is neccesary

Edit: question changed as well

Related

Sendmail to local domain ignoring MX records (part 2)
MySQL slave replication reset with no Master Downtime (using MyISAM)
IIS 7.5 Redirect / URL Rewrite to mobile version of website
Email delivery management grievances
How do MyISAM and InnoDB Utilize HD Space?
How do I setup sshd to require both a private key and a password?
Keeping up with security [closed]
Nginx protect directory with password, except for specific ip's
How do I configure SPF for multiple domains on a server? (also allowing gmail as a sender)
apache server-status not found. check if mod_status is enabled
How to create robots.txt file for all domains on Apache server
Is it possible to limit a Linux process so that it can only run on a particular core on a particular machine?