[olug] SSL for Multiple Apache Named VirtualHosts on a single IP?
aric at omahax.com
aric at omahax.com
Fri Mar 5 05:37:27 UTC 2010
TLS SNI!!!!!
Awesome! No more ghetto SRV record dnsmasq NATery????!!!!!
On Thu, 04 Mar 2010 22:00:35 -0600, Phil Brutsche <phil at brutsche.us>
wrote:
> Your frustration has nothing to do with SSL or TLS but with traditional
> HTTPS implementations.
>
> Traditionally HTTPS is SSL-on-connect - you connect to port 443 and
> immediately begin negotiating your SSL or TLS session. *Then* you begin
> your HTTP protocol chatter, which includes the Host header.
>
> The *only* way to do what you want with traditional HTTPS is with
> wildcard certificates.
>
> The modern way to do SSL/TLS is to connect to the plain-text port,
> exchange capabilities information to verify the server is capable of
> upgrading to an encrypting session, and issuing the command to do so.
> The command is typically STARTTLS, as implemented by numerous SMTP and
> IMAP daemons.
>
> That is not the only way to do it, however, and that is not the method
> HTTP daemons and web browsers have chosen.
>
> The industry has been coalescing around an extension to the TLS protocol
> that exchanges server name information as part of the TLS negotiation.
> The extension is defined in RFCs 4366 and 4346. It is referred to as the
> TLS SNI extension.
>
> More details: http://en.wikipedia.org/wiki/Server_Name_Indication
>
> Rob Townley wrote:
>> OS = CentOS 5.4
>>
>> Apache 2 by itself is not capable of supporting more than one SSL
>> enabled name based virtual host on the same numeric IP address. So
>> each VirtualHost effectively needs its own IP. Are Apache's
>> limitations true even of wildcard SSL certificates?
>> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>>
http://askcolddrink.blogspot.com/2007/03/apache-httpd-virtual-hosts-and-ssl.html
>>
>> That is frustrating because the SSL Certificate itself is not tied to
>> an IP address, but the SSL protocol seems to force the binding to a
>> single IP name. Security has got to be easier than this this by now.
>> i compiled and wrote OpenSSL windows services 10 years ago, so i am
>> rusty. But i do remember TLS promised something better, but the
>> browsers didn't support it. These are internal private only web
>> servers, so i can add more numeric IP addresses, but i would much
>> rather not have that overhead.
>>
>> I.] There has got to be an easier ready-to-go framework running on
>> top of Apache to facilitate a way to handle multiple name based SSL
>> VirtualHosts on the same IP? Hibernate? Spring? Joomla? Drupal?
>> Which one would work best for forcing https on the login pages for
>> various sysadmin pages such as FreeGhost, drbl, ocsinventory-ng, rt,
>> phpMyAdmin each with their own subdomain name?
>>
>> II.] If all the VirtualHosts are in the same domain name and that
>> domain name has a wildcard SSL certificate, is there some way around
>> Apache's limitations?
>>
>> A.) Self generated *.DomainName.com WildCard SSL certificate.
>> B.) VirtualHosts all within that same *.DomainName.com wildcard.
>> C.) ServerNameAlias with all the different server names in a single
>> VirtualHost entry.
>> D.) Perl / Python / PHP script that reads the client's host
>> directive and then rewrites it to somewhere else maybe using
>> VirtualDocumentRoot.
>>
>>
>>
>> III.] Something involving reverse proxy but that is overkill.
More information about the OLUG
mailing list