Difference between revisions of "Apache2 mod vhost alias ssl"

From Noah.org
Jump to: navigation, search
m
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 
[[Category:Engineering]]
 
[[Category:Engineering]]
Technically an SSL certificate is not tied to an IP address  
+
[[Category:SSL]]
(it is tied to a Fully Qualified Domain Name), but a design limitation makes it effectively impossible to do Name Based Virtual Hosting with SSL. In other words an SSL cert may not be tied to a single IP address, but a server on a single IP address cannot support more than one SLL Cert.
+
 
 +
== It can be done ==
 +
 
 +
Marcel Hellig sent me this information. I have not tested this. What I originally wrote in my article wasn't right, or wasn't 100% right. It's possible to have multiple ssl certs and to configure apache(2) to use them right. What you have to do is make VirtualHost directives. For example:
 +
 
 +
<pre>
 +
<VirtualHost *:443>
 +
ServerName www.cookiesoft.de
 +
ServerAlias cookiesoft.de
 +
ServerAdmin admin@cookiesoft.de
 +
DocumentRoot /var/www/
 +
ErrorLog /var/log/apache2/ssl_error.log
 +
TransferLog /var/log/apache2/ssl_access.log
 +
SSLEngine on
 +
SSLProtocol all -SSLv2
 +
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 +
SSLCertificateFile /etc/ssl/private/ssl_cookiesoft.crt
 +
SSLCertificateKeyFile /etc/ssl/private/ssl_cookiesoft.key
 +
SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem
 +
SSLCACertificateFile /etc/ssl/private/ca.pem
 +
ServerSignature On
 +
</VirtualHost>
 +
 
 +
<VirtualHost *:443>
 +
ServerName www.punkkeks.de
 +
ServerAlias punkkeks.de
 +
ServerAdmin admin@punkkeks.de
 +
DocumentRoot /var/www/
 +
ErrorLog /var/log/apache2/ssl_error.log
 +
TransferLog /var/log/apache2/ssl_access.log
 +
SSLEngine on
 +
SSLProtocol all -SSLv2
 +
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 +
SSLCertificateFile /etc/ssl/private/ssl_punkkeks.crt
 +
SSLCertificateKeyFile /etc/ssl/private/ssl_punkkeks.key
 +
SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem
 +
SSLCACertificateFile /etc/ssl/private/ca.pem
 +
ServerSignature On
 +
</VirtualHost>
 +
</pre>
 +
 
 +
== Old, Obsolete, or Incorrect ==
 +
 
 +
Technically an SSL certificate is <em>not</em> tied to an IP address (it is tied to a Fully Qualified Domain Name), but a design limitation makes it effectively impossible to do Name Based Virtual Hosting with SSL. In other words, an SSL cert may not be tied to a single IP address, but a server on a single IP address cannot support more than one SLL Cert.
  
 
When a browser connects it negotiates the SSL before it makes an HTTP request. Apache can't know which virtual domain to serve until it gets the HTTP request, but it needs to know which virtual domain in order to select the correct SSL certificate to negotiate the SSL.
 
When a browser connects it negotiates the SSL before it makes an HTTP request. Apache can't know which virtual domain to serve until it gets the HTTP request, but it needs to know which virtual domain in order to select the correct SSL certificate to negotiate the SSL.
  
The solution is to use IP based virtual hosting. Sorry.
+
The solution is to use IP based virtual hosting. Sorry. So your single server will have to be configured with an additional IP address for each virtual host that needs SSL.

Latest revision as of 12:38, 27 April 2011


It can be done

Marcel Hellig sent me this information. I have not tested this. What I originally wrote in my article wasn't right, or wasn't 100% right. It's possible to have multiple ssl certs and to configure apache(2) to use them right. What you have to do is make VirtualHost directives. For example:

<VirtualHost *:443>
 ServerName www.cookiesoft.de
 ServerAlias cookiesoft.de
 ServerAdmin admin@cookiesoft.de
 DocumentRoot /var/www/
 ErrorLog /var/log/apache2/ssl_error.log
 TransferLog /var/log/apache2/ssl_access.log
 SSLEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 SSLCertificateFile /etc/ssl/private/ssl_cookiesoft.crt
 SSLCertificateKeyFile /etc/ssl/private/ssl_cookiesoft.key
 SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem
 SSLCACertificateFile /etc/ssl/private/ca.pem
 ServerSignature On
</VirtualHost>

<VirtualHost *:443>
 ServerName www.punkkeks.de
 ServerAlias punkkeks.de
 ServerAdmin admin@punkkeks.de
 DocumentRoot /var/www/
 ErrorLog /var/log/apache2/ssl_error.log
 TransferLog /var/log/apache2/ssl_access.log
 SSLEngine on
 SSLProtocol all -SSLv2
 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 SSLCertificateFile /etc/ssl/private/ssl_punkkeks.crt
 SSLCertificateKeyFile /etc/ssl/private/ssl_punkkeks.key
 SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem
 SSLCACertificateFile /etc/ssl/private/ca.pem
 ServerSignature On
</VirtualHost>

Old, Obsolete, or Incorrect

Technically an SSL certificate is not tied to an IP address (it is tied to a Fully Qualified Domain Name), but a design limitation makes it effectively impossible to do Name Based Virtual Hosting with SSL. In other words, an SSL cert may not be tied to a single IP address, but a server on a single IP address cannot support more than one SLL Cert.

When a browser connects it negotiates the SSL before it makes an HTTP request. Apache can't know which virtual domain to serve until it gets the HTTP request, but it needs to know which virtual domain in order to select the correct SSL certificate to negotiate the SSL.

The solution is to use IP based virtual hosting. Sorry. So your single server will have to be configured with an additional IP address for each virtual host that needs SSL.