welcome to netwrkspider

Thursday, July 11, 2013

How to : setup multiple SSL site on single IP Address with Apache 2.2.12 or Higher

As you Know, it was only possible to have an SSL-enabled Web site if it was bound to one particular IP address.
This has caused a lot of grief and irritation because if you had only two IP addresses, 
you could only have two SSL-enabled sites right.

On two IP addresses you can have any number of regular HTTP sites strung out across them both or bound to a single IP, 
but for each of these, only one HTTPS site. What made this even more frustrating is that if www.xyz and 
www.abc.com were on the same IP and xyz.com had an HTTPS site as well, going to https://www.abc.com/
would, in fact, take you to the equivalent of visiting https://www.xyz.com/. This meant that most people who 
wanted HTTPS sites had to restrict one site (both HTTP and HTTPS variants) to a single IP address to avoid this 
type of confusion.

Apache 2.2.12 and support for the SNI (Server Name Indication) extension to the SSL protocol, 
this has changed completely. Now you can configure name-based HTTPS sites

(This is limited to Modern browsers see below for details.) Apache with SNI Extension Requirements:

#Apache with SNI Extension Requirements :

# Required :
·         openssl v 0.9.8j or later and must be built with the TLS extensions option.
·         apache v2.2.12 or later
·         mod_ssl
·         OS's that support SNI from scratch
·         Redhat enterprise Linux 6.x and later SNI ready
·         Fedora 10 and later SNI ready
·         Centos 6.x SNI ready
·         Debian 6.x and later SNI ready 
·         Ubuntu 10.04 and later SNI ready
·         OS's that need Apache, openssl, mod_ssl to be compiled with proper versions:
·         Redhat enterprise Linux5.x
·         Centos 5.x

Note : Make sure you have installed mod_ssl  with Apache 2.X.X  on your Linux os.

For unsupported browsers :

If you test on a browser that is unsupported it will load the SSL Cert of the first vhost that apache parses (loads).  You can disable this by adding the following line to your apache conf file (apache2.conf, or httpd.conf):

SSLStrictSNIVHostCheck on

This will cause a 403 error for unsupported browsers.

Configure Virtual Host :

1 ) Configure your virtual hosts

This is an example of basic configuration of virtual host.

Vhost 1 :

 ServerName www.xyz.com
 DocumentRoot /var/www/html/site
 SSLEngine on
 SSLCertificateFile /path/to/www_xyz_com.crt
 SSLCertificateKeyFile /path/to/www_xyz_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt

Vhost 2 :

 ServerName www.abc.com
 DocumentRoot /var/www/html/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_abc_com.crt
 SSLCertificateKeyFile /path/to/www_abc_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt

Note : After Vhost Configuration restart the httpd services & check it through nmap

[root@testvm ~]#  nmap localhost

21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
30/tcp   open  unknown
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
8009/tcp open  ajp13
8080/tcp open  http-proxy


SNI is a newer Technology and most Browsers support it. However it does not work in either IE6. Or any Windows XP browser except for chrome 6 and later.

Desktop Browsers

Internet Explorer 7 and later
Firefox 2 and later
Opera 8 with TLS 1.1 enabled
Google Chrome:
 Supported on Windows XP on Chrome 6 and later
 Supported on Vista and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Chromium 11.0.696.28 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).
Note: No versions of Internet Explorer on Windows XP support SNI

Mobile Browsers

Mobile Safari for iOS 4.0
Android 3.0 (Honeycomb) and later
Windows Phone 7

No comments: