How to check apache for SNI (Server Name Indication ) availability?

ssl-certificate sni openssl apache-2.4 mod-ssl

The stock CentOS httpd & mod_ssl packages would already have supported SNI. SNI has been supported by openssl since version 0.9.8f and any httpd since version 2.2.12 built with openssl 0.9.8f and newer automatically will support SNI.

But to check if your httpd and mod_ssl support SNI:

Simply test by configuring name based SSL/TLS virtual hosts and check your error log after restarting (from the apache httpd wiki you already linked to):

How can you tell if your Apache build supports SNI?

If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn't built into your Apache, then upon Apache startup a message like

"You should not use name-based virtual hosts in conjunction with SSL!!"

will occur in the error log.
If SNI is built in, then the error log will show

"[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)".

Alternatively use ldd to confirm that mod_ssl is linked against openssl's libssl and confirm the version:

ldd /usr/lib64/httpd/modules/mod_ssl.so
    linux-vdso.so.1 =>  (0x00007fff323f8000)
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f3d99792000)        <=======
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3d993a8000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3d9918b000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f3d98f87000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f3d98bc6000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f3d98977000)
    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f3d98690000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f3d9848c000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f3d98259000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f3d98043000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f3d99c3d000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f3d97e34000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f3d97c2f000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3d97a15000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f3d977ed000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f3d9758c000)
rpm -qf /lib64/libssl.so.10
openssl-libs-1.0.1e-60.el7_3.1.x86_64

Related

Why is the iptables byte count for raw PREROUTING 0?
Can Veeam "Copy Job" handle alternating destinations?
OpenBSD: How to use `relayd` and `httpd` for redirecting subdomain requests
CPU speed related with disk io?
Docker - Timezones in containers not same as on host
QEMU and serial ports on the guest OS
Why does MySQLTuner show query_cache_size (=0)?
Some questions about xenserver HA
SSL - Common Name not recognized
How to get CNTLM gateway logs?
Do 10GbE SFP transceivers need to match?
named not serving letsencrypt TXT records