I am looking to setup SNI under cPanel, and while I know it's not directly supported just yet:
http://forums.cpanel.net/f145/case-46856-sni-server-name-indicator-ssl-support-cpanel-83661.html
That doesn't mean it can't be done as far as I'm aware.
Does anyone know a guide or have any advice as where to look to set it up?
Any help would be greatly appreciated.
-------- UPDATE --------
I found this link which details how to set it up on Apache but have been told that cPanel overrides the config files:
http://www.techrepublic.com/blog/opensource/configure-apache-to-support-multiple-ssl-sites-on-a-single-ip-address/987
WHM 11.38 now supports SNI:
http://blog.cpanel.net/ssl-improvements-for-cpanel-whm/
Server Name Indicator (SNI)
Currently, it’s common for each SSL Certificate to require its own
dedicated IP address. The cost of this address is typically being
passed down to the end user.
SNI is able to change this paradigm by indicating what hostname the
client is connecting to at the start of the handshake process. This
allows a server to have multiple certificates all installed on the
same IP address. Users on shared servers, that support SNI, will be
able to install their own certificates and bypass the need for a
dedicated address. While this saves on the cost of the dedicated IP
address, this also helps reduce the need for extra addresses.
In order to experience the full benefit of SNI in cPanel & WHM 11.38,
an operating system that supports this functionality will be needed as
well. CentOS 6 is a prime example of such an operating system.
This is the closest I've seen, using mod_gnutls.
http://blog.dembowski.net/2011/10/28/sni-on-centos-5-6-mod_gnutls/
Apparently installing an updated OpenSSL can break lots of other tools and if you install a separate copy you still have to compile Apache to use that one, which breaks the autoupdater.
Related
I am quite new to ssl stuffs but I am afraid I can guess the final answer of the following problem/question:
We are building hardware (let's call them servers) that WILL have IP address modifications along there lifetime. Each Server must be reachable in a secured manner. We are planning to use a TLS 1.3 secured connection to perform some actions on the servers (update firmware, change configuration and so on). As a consequence we need to provide the server's with one certificate (each) so that they can state their identity. PKI issue is out of the scope of this question (we suppose) and we can take for granted that the clients and the servers will share a common trusted CA to ensure the SSL handshake goes ok. The server's will serve http connection on there configured (changeable) IP addresses only. There is no DNS involved on the loop.
We are wondering how to set the servers' certificates appropriately.
As IP will change, it cannot be used as the common name in the server's certificate.
Therefore, we are considering using something more persistent such as a serial number or a MAC address.
The problem is, as there is no DNS in the loop, the client can not issue http request to www.serialNumberOfServer.com and must connect to http://x.y.z.t (which will change frequently (at least frequently enough so that we don't issue a new server's certificate at each time))
If we get it right, ssl handshake requires to have the hostname (that's in the URL we are connecting to) matching either the commonName of the server's Certificate or one of its Subject's Alternative Name (SAN). Right? Here, it would be x.y.z.t.
So we think we are stucked in a situation in which the server cannot use it's IP to prove its identity and the client wants to use it exclusively to connect to the server.
Is there any work around?
Are we missing something?
Any help would be very (VERY) appreciated. Do not hesitated in cas you should need more detailed explanation!
For what it's worth, the development environment will be Qt using the QNetworkAccessManager/QSSlstuffs framework.
If you're not having the client use DNS at all, then you do have a problem. The right solution is to use DNS or static hostname lists (/etc/hosts, eg, on unix* or hosts.txt on windows eg.). That will let you set names appropriately.
If you can only use IP addresses, another option is to put all of your IP addresses into the certificate that the server might use. This is only doable if you have a reasonable small number of addresses that they might get assigned to.
Or you could keep a cache of certificates on the server with one address for each, and have part of the webserver start process to select the right certificate. Requires a bit more complex startup.
Edit: Finally, some SSL stacks (e.g. openssl) let you decide whether or not each particular verification error should be accepted as an error or that it can be ignored. This would let you override the errors on the client side. However, this is hard to implement properly and very prone to security issues if you don't bind the remote certificate properly it means you're subjecting yourself to man-in-the-middle or other attacks by blindly accepting any old certificate. I don't remember if Qt's SSL library gives you this level of flexibility or not (I don't believe so but didn't go pull up the documentation).
Went back on the subject 9 mont later!
Turns out there is an easy solution (at least with Qt framework)
Qt's QNetworkRequest::setPeerVerifyName does the job for us. It allows to connect to an host using its IP and verify a given CN during SSL handshake
See Qt's documentation extract below:
void QNetworkRequest::setPeerVerifyName(const QString &peerName)
Sets peerName as host name for the certificate validation, instead of the one used for the TCP connection.
This function was introduced in Qt 5.13.
See also peerVerifyName.
Just tested it positively right now
I have a Windows instance from GCP Compute Engine. I have a website on the server using IIS, for a time. It is perfectly working with SSL certificate.
Yet, now we want to host another website on the server. I had opened the website yesterday, all the DNS's are configured and it is also working
well expect it has a HTTPS connection. I bought a SSL certificate and it is issued and ready for use. However, I forget that IIS works with SSL's in a way that the most recent SSL is accepted for specific IP and all the websites would start consuming that, the newest, one. That is why I was trying to obtain new IP but could not figure it out. Then I simply tried traditional way to have a new IP and wanted to assign to new site. Then on IPv4 configurations, it says 'DHCP Enabled'. So I stuck there and could not go to the next steps.
GCP have really complicated documentations on this issue none was really clearly expressing it. I found some solutions like I might start with enabling IP Forwarding yet I also could not find on documentations how to do it.
In short, I had a website with SSL and I have opened a new website on the same machine. Of course, their IP's are same so I would like to be able to obtain a new IP without changing the previous site's IP. I just did not know and could not find how to do it.
I would be appreciated if someone can help me to figure out how to obtain new IP for the new site so that I can use my issued SSL certificate for the website.
Thanks!
It is not directly possible to assign more than 1 IP per VM. However, you can have any number of external IP addresses by referencing the instance through forwarding rules and target pools, which is explained in this document.
You may also work out this without lb but only with forwarding rule / Protocol Forwarding. More about the concept is discussed here
This question is asked multiple time and there are well briefed answers, IE on XP does not support
But we have problem that we have not enough public ips to assign for individual ssl based url.
I have very basic question that can we run SNI sites(that points to single ip) on windowsXP and IE8.
We have some workarounds like, buy an other pool of IPS but that will really cost us a lot.
Thanks
The only way to have multiple certificates on the same IP and port is to use SNI, and this needs a browser which can do SNI. Because you usually don't have control about the client you cannot force them to upgrade windows or use another browser on the same platform.
So if you really need to support multiple certificates on a single IP and cannot use SNI, your only option is to have the http server listen on different ports and setup the certificates based on the port. Note, that this might give you other problems, because non-standard port for https might be blocked by firewalls.
The workarounds are.
1) make the default site one that tells people that internet explorer on XP is not supported, and is insecure, and to download firefox or chrome, and provides download links. This will hopefully convert customers to using the other browsers.
2) use different ports.
The muiti-domain cert will not help because only the first site in apache on port 443 on that ip will come up.
I know that this is a dollar late and a day short, but you could use a Multiple Domain (UCC) SSL certificate.
They are a little more expensive, but you can specify multiple domain names on one certificate.
I've been searching for a few hours to find a solution to my question/problem and whilst I believe that I have been able to clarify the reason why I have problems I have been unable to find a resolution.
I have one server which is hosting multiple web sites and a couple of these web sites are using SSL certificates. I have some shared images accessed by all sites and the way to stop the none-secure error on the SSL site was to serve those shared images from https://www.example-shared-image-server.com/images/imagename.jpg
This worked fine, until that is I noticed that by using Internet Explorer on Windows XP it is giving the message "There is a problem with this website's security certificate". What I then identified is that its because its picking up a certificate for a different domain on the server. Its all to do with hosting multiple sites on one server with SSL certificates.
Lets say I have four sites with only the first two with SSL certificates installed.
https://www.one.com
https://www.two.com
http://www.three.com
http://www.four.com
And lets not forget the following:
https://www.example-shared-image-server.com
So when accessing images from the above shared image URL it is actually bringing up https://www.one.com, hence the error.
So its seems to be something to do with IE not supporting SNI or SSL/TLS on Windows XP or Vista whereas it is on Win 7 and Win 8. This seems like an immediate ploy by M$ to force people to upgrade to more current operating systems. But the fact is that all other browsers support it.
But, what I have not been able to identify is what I can do about it. So I believe my question is, is it possible to host multiple web sites using SSL on the same server on different domains without causing IE to show errors. If not, what do other people do? And it yes, how do I configure it?
I have been on this for hours so if someone could help, I would really appreciate it.
Many thanks,
Rob
Windows XP's version of SChannel does not support SNI, which means that IE and other WinINET/WinHTTP-based applications do not support SNI on that platform.
http://blogs.msdn.com/b/ieinternals/archive/2009/12/07/certificate-name-mismatch-warnings-and-server-name-indication.aspx
SNI support was introduced in Windows Vista; if you're not seeing it work on that platform, it's likely that IE was reconfigured away from the defaults to enable SSL2. SSLv2-compatible handshakes do not carry TLS extensions like the SNI extension.
The only real workarounds here are to either:
Host each server on a different IP or port (so the server can select the certificate based on that information)
Use a certificate that contains multiple hostnames using the SubjectAltName field of the certificate
I have a web-server, that serves different domain-names, but has only one IP-address assigned. That works fine with virtual hosts in Apache. Now I want SSL-encrypted connections for the websites. How can I set different SSL-certificates for the different vhosts?
Using different IP's for the different hostnames would be an solution - not very elegant but possible. But I want to know, how I can use different SSL-certificates for different vhosts. So I look for a solution with only one IP-address.
UPDATE: 2013
It appears that SNI is finally beginning take hold as older browsers are falling away. Here are the docs for Apache SNI and here is a wikipedia article on SNI that includes a chart on browsers that support it. In short, all the major browsers support it in supported versions; if supporting older browsers is important, you may have to take that into consideration.
------ previous answer ------------
SSL Hosts must be tied to a unique IP address/port combination, thus you cannot use virtual hosting (Or at least, it can only have one ssl host per IP address). This is due to the fact that https begins encryption before the Host: parameter is sent in http, and thus it cannot determine which cipher to use from the hostname - all it has is the IP address.
This would be silly easy to fix if HTTP had a TLS command so it could start SSL after asking for the hostname, but no one asked me.
For the definitive answer, see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
After hints in the answers given and comments to it (especially by Martin v. Löwis) I did some googling and found this website about RFC 2817 and RFC 3546. RFC 3546 seems to be a good solution.
AFAIK it's not possible to set up different SSL certificates for name-based virtual hosts using mod_ssl. You can read the detailed reason here. An alternative would be using IP based virtual hosts (Which is probably not possible / not a very satisfying solution) - just insert different SSLCertificateFile directives, or you could try this method using mod_gnutls.
You will need a separate IP:port combination for each vhost.
RFC 3546 is not feasible yet. IE only supports it when running under Vista, and last I checked Safari doesn't manage it either.
While everything DGM mentioned is true, there have been some attempts to get around the requirement for a unique IP address for every certificate including mod_gnutls and using TLS extensions. There are some drawbacks but they may be acceptable to you.
Finally it's possible! You need both server and client to support Server Name Indication (SNI)
Browsers, that support SNI:
Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6
This doc shows hoe to configure your server: SSL with Virtual Hosts Using SNI