apache: several ssl vhosts on the same computer and same ip

Question

I have a Linux server with Gentoo Linux 64 bit.

I have Apache 2.2.17 installed and I have several vhosts configured on it that work correctly. When I try to add SSL vhosts, apache detects only the first one.

This is how each virtual host is configured:

<VirtualHost *:443>
    ServerName myserver
    serverAlias [server name].tux-in.com
    Include /etc/apache2/vhosts.d/magento_vhost.include
    ErrorLog /var/log/apache2/[server]_ssl_error_log

    <IfModule log_config_module>
            TransferLog /var/log/apache2/[server]_ssl_access_log
    </IfModule>

    SSLEngine on

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    SSLCertificateFile /etc/ssl/apache2/server.crt

    SSLCertificateKeyFile /etc/ssl/apache2/server.key

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>

    <Directory "/var/www/localhost/cgi-bin">
            SSLOptions +StdEnvVars
    </Directory>

    <IfModule setenvif_module>
            BrowserMatch ".*MSIE.*" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
    </IfModule>

    <IfModule log_config_module>
            CustomLog /var/log/apache2/ssl_request_log \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </IfModule>
</VirtualHost>

this is the include file:

ServerAdmin myemail@gmail.com

DocumentRoot "/var/www/[server dir]"

<Directory "/var/www/[server dir]">
    Options Indexes FollowSymLinks


    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

in the following url http://wiki.apache.org/httpd/NameBasedSSLVHosts i read that regarding ssl virtual hosts apache will fetch only the first ssl vhost configuration.

I have a linux server with dozens of domains forwarded to my ip and each has it's own vaild ssl certificate. how can I configure my system to allow that? do I really need to allocate my IP address to resolve this issue?

thanks!

Answer 1

Apache will "detect" and serve any number of vhosts on an SSL port. The problem is, specifically, with which certificate to use.

Think about how a vhost is selected; the client transmits a Host: header as part of the request that it sends. An SSL tunnel is already established by the time that info is sent to the server, so it's impossible for Apache to select a cert based on something it doesn't know when the certificate is selected. In this situation, it always selects the cert on the first vhost to load.

However, when the client and server both support TLS Server Name Indication, the client can indicate as part of the session negotiation which hostname it's going to hit, allowing Apache to use the correct certificate. Your server should support it (as long as your OpenSSL library is new enough, but Apache 2.2.17 is fine), so it's a question of client support.

If you've got clients still on Windows XP, then that's out; your best options are a wildcard certificate if your sites share a parent domain, or a Subject Alternate Name certificate if they do not.

Answer 2

Consider what apache does:

It gets a new connection to a given IP and port number, and it has to setup an SSL connection; for this it needs an SSL certificate. How is it supposed to select between multiple certificates?

So each IP/port combination can only serve use one SSL certificate. And if you also want to use the default https port, then that's one certificate per IP.

Answer 3

In my configuration, I have multiples <VirtualHost *:443> sections with different ServerName matching the sites addresses.

For each you have a SSL configuration section, with certificates etc...

For browser recent enough, it should work. (On win XP there it won't work due to libraries of crypto that do not handle the multiple SSL hosts request)

If your package of ssl and apache are recent enough, it should work.

Related: SF where you will see example of config and info on the SNI (Server Name Indication)