25

I know that a dedicated IP is needed for setting up SSL. What happens if we add SSL for domains sharing an IP ? (Namevirtualhost)

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
nitins
  • 2,527
  • 15
  • 42
  • 65
  • 5
    Duplicate of http://serverfault.com/questions/126072/ – user1686 Mar 26 '10 at 13:13
  • 3
    Does this answer your question? [SSL certificate selection based on host-header: is it possible?](https://serverfault.com/questions/126072/ssl-certificate-selection-based-on-host-header-is-it-possible) – maxschlepzig Aug 08 '20 at 09:24

9 Answers9

29

I think it is a good idea how to explain what the problem really is with virtual hosts and SSL/TLS.

When you connect to an apache server over HTTP you send a set of http headers along. They look like this:

GET /index.html HTTP/1.1
 Host: www.nice-puppies.com

If you have virtual hosting apache will look at the hosts field, then fetch the right index.html for you. The problem is when you add SSL/TLS. The server sets up the encryption before you ever send your http request. Therefor the server doesn't know if you are going to www.nice-puppies.com or www.evil-haxxor.com until after the authentication/encryption is completed. The server can not guess (as sending the wrong certificate gives you a nasty error message).

One solution is a wildcard certificate (as mentioned above), which is valid for *.nice-puppies.com. That way you can use the same cert for multiple domains, but you can't have a *.com certificate (okay, you can, but it would be very bad for everybody else), so in general you will need separate IP for each HTTPS domain.

pehrs
  • 8,749
  • 29
  • 46
  • 4
    Good explanation, but you could have a UC cert that will allow multiple domains in one cert – Sam Cogan Mar 26 '10 at 11:23
  • 1
    Yes, you can have Unified Communications Certificates (UCC/UC certs). I should probably have mentioned them. They are, as far as I have seen, mostly used with Exchange/Office Communication Server. And if you use the same certificate for different sites you abuse x509 semantics. But they do work on most TLS stacks. – pehrs Mar 26 '10 at 12:36
  • 6
    Also SNI. Your statement is no longer definitive, pehrs. Your explanation is historically accurate but no longer reflects current technologies. – Warner Mar 26 '10 at 15:24
  • 4
    SNI doesn't (yet?) work with IE6 on Windows XP. Which kind of limits the value, considering the market share. I believe the original user was more interested in what would happen than the set of hacks that exist to get around it. – pehrs Mar 26 '10 at 15:45
  • Tried to correct the spelling mistake at the end SHTTP to HTTPS but this was rejected as too small an edit. – Stuart Jul 18 '12 at 16:14
9

The real solution to this problem is "Server Name Indication":

http://en.wikipedia.org/wiki/Server_Name_Indication

It's only starting to be rolled out into servers and web clients, so it's not really something you can use now, but hopefully in a few years' time this won't be as big of a problem.

3

The problem is that the SSL certificate is bound to the IP address not hostname. When the connection comes in on the IP address for an HTTPS request the first action is to establish the SSL communication by passing the server certificate and/or client certificate. During this stage of the connection handshake the Apache server has no way of knowing what the request about to come through is for. This is different for HTTP (non-SSL) traffic as after the connection is established the Apache server can determine the virtual host configuration to use if the client sends the Host header or else it hands it off to the first virtual host configured.

If you had multiple virtual hosts under the same domain you could setup a single wildcard certificate on the IP address and have multiple virtual hosts with different server names defined; however, if those server names are not under the same domain name they would generate client server errors. This would work as the wildcard certificate would be valid for all host names under that domain name. You would need another IP address if the domain names were different as the first certificate defined for that IP address would be the one presented for connecting clients.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40
1

This can be added into one single ssl certificate as SAN (Subject Alternative Name). In my excperiance i had to request a organisation sll certificate. i used globalsign.

1

Actually, with modern software you CAN serve multiple HTTPS sites over a single IP address, using a new feature called 'SNI - Server Name Indication'.

http://en.wikipedia.org/wiki/Server_Name_Indication

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

I have yet to use this myself, but it sounds good for internal and intranet sites. Most modern browsers support SNI. IE6 does not support SNI, but IE7 does.

(Correction: 20100426 -- SNI is not supported on Windows XP at all. Windows Vista and above do support SNI. See "Section 2.2.3" at http://msdn.microsoft.com/en-us/library/dd208005%28v=PROT.13%29.aspx#id8 ).

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
  • 2
    With IE, support doesn't come from the IE version, rather comes from the underlying OS version. Vista and above support SNI. XP doesn't, so even with IE8 on XP, you won't get SNI. – Nasko Apr 26 '10 at 16:39
1

I am working on same issue. As my test, IE7 and later (Only in Win7 & Vista)/Chrome/Firefox/Safari/Opera support "Server Name Indication". In fact, if browser uses Tsl 1.0, It supports "Server Name Indication".

Sean
  • 11
  • 1
0

If you will try to add two certificates on the same IP, only first read certificate will be used everywhere. One IP - one SSL certificate.

If you want to get more SSL certificates on the same IP, consider getting multiple-domain (so called UCC - check it out @ godaddy) or wildcard (more expensive) certificate.

Andrejs Cainikovs
  • 1,611
  • 1
  • 14
  • 20
  • You mean the certificate first added in Apache conf will be used for both ? – nitins Mar 26 '10 at 13:48
  • 1
    If you have two certificates - for site A and B, and apache loads configuration for hosts in sequence A.conf, then B.conf, then it will use certificate from A.conf. Or vice versa. – Andrejs Cainikovs Mar 26 '10 at 18:19
0

I think that the OP is asking what happens if he adds an SSL cert to an IP that has many virtual hosts. If none of the other virtualhosts use an SSL cert then he should be in the clear.

Iraklis
  • 488
  • 1
  • 5
  • 14
0

A UC certificate is definitely the way to go: http://www.sslshopper.com/unified-communications-uc-ssl-certificates.html

Robert
  • 1,575
  • 7
  • 7