I have a web-server, that serves different domain-names, but has only one IP-address assigned. That works fine with virtual hosts in Apache. Now I want SSL-encrypted connections for the websites. How can I set different SSL-certificates for the different vhosts?
Using different IP's for the different hostnames would be an solution - not very elegant but possible. But I want to know, how I can use different SSL-certificates for different vhosts. So I look for a solution with only one IP-address.
UPDATE: 2013
It appears that SNI is finally beginning take hold as older browsers are falling away. Here are the docs for Apache SNI and here is a wikipedia article on SNI that includes a chart on browsers that support it. In short, all the major browsers support it in supported versions; if supporting older browsers is important, you may have to take that into consideration.
------ previous answer ------------
SSL Hosts must be tied to a unique IP address/port combination, thus you cannot use virtual hosting (Or at least, it can only have one ssl host per IP address). This is due to the fact that https begins encryption before the Host: parameter is sent in http, and thus it cannot determine which cipher to use from the hostname - all it has is the IP address.
This would be silly easy to fix if HTTP had a TLS command so it could start SSL after asking for the hostname, but no one asked me.
For the definitive answer, see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
After hints in the answers given and comments to it (especially by Martin v. Löwis) I did some googling and found this website about RFC 2817 and RFC 3546. RFC 3546 seems to be a good solution.
AFAIK it's not possible to set up different SSL certificates for name-based virtual hosts using mod_ssl. You can read the detailed reason here. An alternative would be using IP based virtual hosts (Which is probably not possible / not a very satisfying solution) - just insert different SSLCertificateFile directives, or you could try this method using mod_gnutls.
You will need a separate IP:port combination for each vhost.
RFC 3546 is not feasible yet. IE only supports it when running under Vista, and last I checked Safari doesn't manage it either.
While everything DGM mentioned is true, there have been some attempts to get around the requirement for a unique IP address for every certificate including mod_gnutls and using TLS extensions. There are some drawbacks but they may be acceptable to you.
Finally it's possible! You need both server and client to support Server Name Indication (SNI)
Browsers, that support SNI:
Mozilla Firefox 2.0 or later
Opera 8.0 or later (with TLS 1.1 enabled)
Internet Explorer 7.0 or later (on Vista, not XP)
Google Chrome
Safari 3.2.1 on Mac OS X 10.5.6
This doc shows hoe to configure your server: SSL with Virtual Hosts Using SNI
Related
This question is asked multiple time and there are well briefed answers, IE on XP does not support
But we have problem that we have not enough public ips to assign for individual ssl based url.
I have very basic question that can we run SNI sites(that points to single ip) on windowsXP and IE8.
We have some workarounds like, buy an other pool of IPS but that will really cost us a lot.
Thanks
The only way to have multiple certificates on the same IP and port is to use SNI, and this needs a browser which can do SNI. Because you usually don't have control about the client you cannot force them to upgrade windows or use another browser on the same platform.
So if you really need to support multiple certificates on a single IP and cannot use SNI, your only option is to have the http server listen on different ports and setup the certificates based on the port. Note, that this might give you other problems, because non-standard port for https might be blocked by firewalls.
The workarounds are.
1) make the default site one that tells people that internet explorer on XP is not supported, and is insecure, and to download firefox or chrome, and provides download links. This will hopefully convert customers to using the other browsers.
2) use different ports.
The muiti-domain cert will not help because only the first site in apache on port 443 on that ip will come up.
I know that this is a dollar late and a day short, but you could use a Multiple Domain (UCC) SSL certificate.
They are a little more expensive, but you can specify multiple domain names on one certificate.
I've been searching for a few hours to find a solution to my question/problem and whilst I believe that I have been able to clarify the reason why I have problems I have been unable to find a resolution.
I have one server which is hosting multiple web sites and a couple of these web sites are using SSL certificates. I have some shared images accessed by all sites and the way to stop the none-secure error on the SSL site was to serve those shared images from https://www.example-shared-image-server.com/images/imagename.jpg
This worked fine, until that is I noticed that by using Internet Explorer on Windows XP it is giving the message "There is a problem with this website's security certificate". What I then identified is that its because its picking up a certificate for a different domain on the server. Its all to do with hosting multiple sites on one server with SSL certificates.
Lets say I have four sites with only the first two with SSL certificates installed.
https://www.one.com
https://www.two.com
http://www.three.com
http://www.four.com
And lets not forget the following:
https://www.example-shared-image-server.com
So when accessing images from the above shared image URL it is actually bringing up https://www.one.com, hence the error.
So its seems to be something to do with IE not supporting SNI or SSL/TLS on Windows XP or Vista whereas it is on Win 7 and Win 8. This seems like an immediate ploy by M$ to force people to upgrade to more current operating systems. But the fact is that all other browsers support it.
But, what I have not been able to identify is what I can do about it. So I believe my question is, is it possible to host multiple web sites using SSL on the same server on different domains without causing IE to show errors. If not, what do other people do? And it yes, how do I configure it?
I have been on this for hours so if someone could help, I would really appreciate it.
Many thanks,
Rob
Windows XP's version of SChannel does not support SNI, which means that IE and other WinINET/WinHTTP-based applications do not support SNI on that platform.
http://blogs.msdn.com/b/ieinternals/archive/2009/12/07/certificate-name-mismatch-warnings-and-server-name-indication.aspx
SNI support was introduced in Windows Vista; if you're not seeing it work on that platform, it's likely that IE was reconfigured away from the defaults to enable SSL2. SSLv2-compatible handshakes do not carry TLS extensions like the SNI extension.
The only real workarounds here are to either:
Host each server on a different IP or port (so the server can select the certificate based on that information)
Use a certificate that contains multiple hostnames using the SubjectAltName field of the certificate
[Updated with partial answers, some more detailed questions.]
Does CouchDB support multi-domain hosting?
Yes, via [vhosts] + _rewrite(s) configuration.
Does CouchDB support multiple individual httpd bind_address'es (i.e., other than 0.0.0.0)?
Does CouchDB do multi-domain hosting with SSL support?
Is there a canonical (good example) configuration for 2 or more hosts with SSL?
I'd like to know how to run CouchDB to support separate domains, several of which need SSL support for secure connections. I googled to no avail, so I'm wondering if anyone is using CouchDB this way, or whether it's even possible. A sample configuration file would help.
Thx.
Looks like CouchDB supports either one individual ip bind_address, or the global 0.0.0.0 bind_address.
Google led to this feature request:
http://couchdb-development.1959287.n2.nabble.com/jira-Created-COUCHDB-907-Support-multiple-ip-addresses-in-bind-address-td5604285.html
which links to this discussion (2012-03-24) which indicates --- requested feature, but no ETA:
http://comments.gmane.org/gmane.comp.db.couchdb.user/7050
So the answer to #2-4 is "No." for now. (I.e., 0.0.0.0 is the only CouchDB solution for multiple bind_address'es.)
We host many sites with domains on a single IP ie. www.domain1.com, www.domain2.com. We want to secure /admin using SSL. Historically each SSL cert needs a unique IP address. These are small sites and acquiring / assigning an individual IP to each site is unrealistic both in terms of maintainability and cost. Because we are not using sub domains the wildcard SSL cert approach won't work.
Googling around I found that Apache can do this by using TLS, see answer here:
https://serverfault.com/questions/109766/ssl-site-not-using-the-correct-ip-in-apache-and-ubuntu
My question is whether this is possible with IIS 7.5 too? If so, does anyone know how to set this up?
Thanks in advance
Dave
SSL and TLS basically are the same. TLS is the successor to SSL where TLS 1.0 is basically the same as SSL 3.1.
What makes the difference though is the support for SNI. This allows the browser to tell the server for which hostname the request is without the need for the server to decrypt the request.
Normally a webserver looks at the hostname header to decide for which virtual site the request is. But when SSL/TLS is used, the entire request (including all headers) are encrypted. In order to read the headers the server would have to decrypt the request but it can't do that without using the proper certificates. To know which certificate to use, it would need to know for which site the request is but it can't know that because that information is in the encrypted request. A classic chicken/egg problem. This is where SNI steps in.
SNI requires a reasonably new OS / browser / server and is not yet supported by IIS. It will be supported in Windows Server 2012 and IIS 8.0 (due for release this year).
I am looking to setup SNI under cPanel, and while I know it's not directly supported just yet:
http://forums.cpanel.net/f145/case-46856-sni-server-name-indicator-ssl-support-cpanel-83661.html
That doesn't mean it can't be done as far as I'm aware.
Does anyone know a guide or have any advice as where to look to set it up?
Any help would be greatly appreciated.
-------- UPDATE --------
I found this link which details how to set it up on Apache but have been told that cPanel overrides the config files:
http://www.techrepublic.com/blog/opensource/configure-apache-to-support-multiple-ssl-sites-on-a-single-ip-address/987
WHM 11.38 now supports SNI:
http://blog.cpanel.net/ssl-improvements-for-cpanel-whm/
Server Name Indicator (SNI)
Currently, it’s common for each SSL Certificate to require its own
dedicated IP address. The cost of this address is typically being
passed down to the end user.
SNI is able to change this paradigm by indicating what hostname the
client is connecting to at the start of the handshake process. This
allows a server to have multiple certificates all installed on the
same IP address. Users on shared servers, that support SNI, will be
able to install their own certificates and bypass the need for a
dedicated address. While this saves on the cost of the dedicated IP
address, this also helps reduce the need for extra addresses.
In order to experience the full benefit of SNI in cPanel & WHM 11.38,
an operating system that supports this functionality will be needed as
well. CentOS 6 is a prime example of such an operating system.
This is the closest I've seen, using mod_gnutls.
http://blog.dembowski.net/2011/10/28/sni-on-centos-5-6-mod_gnutls/
Apparently installing an updated OpenSSL can break lots of other tools and if you install a separate copy you still have to compile Apache to use that one, which breaks the autoupdater.