[olug] SSL for Multiple Apache Named VirtualHosts on a single IP?

aric at omahax.com aric at omahax.com
Fri Mar 5 05:37:27 UTC 2010


TLS SNI!!!!!

Awesome!  No more ghetto SRV record dnsmasq NATery????!!!!!

On Thu, 04 Mar 2010 22:00:35 -0600, Phil Brutsche <phil at brutsche.us>
wrote:
> Your frustration has nothing to do with SSL or TLS but with traditional
> HTTPS implementations.
> 
> Traditionally HTTPS is SSL-on-connect - you connect to port 443 and
> immediately begin negotiating your SSL or TLS session. *Then* you begin
> your HTTP protocol chatter, which includes the Host header.
> 
> The *only* way to do what you want with traditional HTTPS is with
> wildcard certificates.
> 
> The modern way to do SSL/TLS is to connect to the plain-text port,
> exchange capabilities information to verify the server is capable of
> upgrading to an encrypting session, and issuing the command to do so.
> The command is typically STARTTLS, as implemented by numerous SMTP and
> IMAP daemons.
> 
> That is not the only way to do it, however, and that is not the method
> HTTP daemons and web browsers have chosen.
> 
> The industry has been coalescing around an extension to the TLS protocol
> that exchanges server name information as part of the TLS negotiation.
> The extension is defined in RFCs 4366 and 4346. It is referred to as the
> TLS SNI extension.
> 
> More details: http://en.wikipedia.org/wiki/Server_Name_Indication
> 
> Rob Townley wrote:
>> OS = CentOS 5.4
>> 
>> Apache 2 by itself is  not  capable of supporting more than one SSL
>> enabled name based virtual host on the same numeric IP address.  So
>> each VirtualHost effectively needs its own IP.  Are Apache's
>> limitations true even of wildcard SSL certificates?
>> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
>>
http://askcolddrink.blogspot.com/2007/03/apache-httpd-virtual-hosts-and-ssl.html
>> 
>> That is frustrating because the SSL Certificate itself is not tied to
>> an IP address, but the SSL protocol seems to force the binding to a
>> single IP name.  Security has got to be easier than this this by now.
>> i compiled and wrote OpenSSL windows services 10 years ago, so i am
>> rusty.   But i do remember TLS promised something better, but the
>> browsers didn't support it.   These are internal private only web
>> servers, so i can add more numeric IP addresses, but i would much
>> rather not have that overhead.
>> 
>> I.]  There has got to be an easier ready-to-go framework running on
>> top of Apache to facilitate a way to handle multiple name based SSL
>> VirtualHosts on the same IP?  Hibernate? Spring? Joomla?  Drupal?
>> Which one would work best for forcing https on the login pages for
>> various sysadmin pages such as FreeGhost, drbl, ocsinventory-ng, rt,
>> phpMyAdmin each with their own subdomain name?
>> 
>> II.]  If all the VirtualHosts are in the same domain name and that
>> domain name has a wildcard SSL certificate, is there some way around
>> Apache's limitations?
>> 
>>   A.) Self generated *.DomainName.com WildCard SSL certificate.
>>   B.) VirtualHosts all within that same *.DomainName.com wildcard.
>>   C.) ServerNameAlias  with all the different server names in a single
>> VirtualHost entry.
>>   D.) Perl / Python / PHP script that reads the client's host
>> directive and then rewrites it to somewhere else maybe using
>> VirtualDocumentRoot.
>> 
>> 
>> 
>> III.] Something involving reverse proxy but that is overkill.



More information about the OLUG mailing list