As you Know, it was only possible to have an SSL-enabled Web site if it was bound to one particular IP address.
This has caused a lot of grief and irritation because if you had only two IP addresses,
you could only have two SSL-enabled sites right.
On two IP addresses you can have any number of regular HTTP sites strung out across them both or bound to a single IP,
but for each of these, only one HTTPS site. What made this even more frustrating is that if www.xyz and
www.abc.com were on the same IP and xyz.com had an HTTPS site as well, going to https://www.abc.com/
would, in fact, take you to the equivalent of visiting https://www.xyz.com/. This meant that most people who
wanted HTTPS sites had to restrict one site (both HTTP and HTTPS variants) to a single IP address to avoid this
type of confusion.
Apache 2.2.12 and support for the SNI (Server Name Indication) extension to the SSL protocol,
this has changed completely. Now you can configure name-based HTTPS sites
(This is limited to Modern
browsers see below for details.) Apache with SNI Extension Requirements:
#Apache with SNI Extension Requirements :
# Required :
·
openssl v 0.9.8j or later and must be built with the TLS extensions option.
·
apache v2.2.12 or later
·
mod_ssl
·
OS's that support SNI from scratch
·
Redhat enterprise Linux 6.x and later SNI ready
·
Fedora 10 and later SNI ready
·
Centos 6.x SNI ready
·
Debian 6.x and later SNI ready
·
Ubuntu 10.04 and later SNI ready
·
OS's that need Apache, openssl, mod_ssl to be
compiled with proper versions:
·
Redhat enterprise Linux5.x
·
Centos 5.x
Note : Make sure you have installed mod_ssl with Apache 2.X.X on your Linux os.
For unsupported
browsers :
If you test on a browser that is unsupported it will load
the SSL Cert of the first vhost that apache parses (loads). You can disable this by adding the following
line to your apache conf file (apache2.conf, or httpd.conf):
SSLStrictSNIVHostCheck
on
This will cause a 403 error for unsupported browsers.
Configure Virtual
Host :
1 ) Configure your
virtual hosts
This is an example of
basic configuration of virtual host.
Vhost 1 :
ServerName www.xyz.com
DocumentRoot /var/www/html/site
SSLEngine on
SSLCertificateFile /path/to/www_xyz_com.crt
SSLCertificateKeyFile /path/to/www_xyz_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
ServerName www.xyz.com
DocumentRoot /var/www/html/site
SSLEngine on
SSLCertificateFile /path/to/www_xyz_com.crt
SSLCertificateKeyFile /path/to/www_xyz_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
Vhost 2 :
ServerName www.abc.com
DocumentRoot /var/www/html/site2
SSLEngine on
SSLCertificateFile /path/to/www_abc_com.crt
SSLCertificateKeyFile /path/to/www_abc_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
ServerName www.abc.com
DocumentRoot /var/www/html/site2
SSLEngine on
SSLCertificateFile /path/to/www_abc_com.crt
SSLCertificateKeyFile /path/to/www_abc_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
Note : After Vhost
Configuration restart the httpd services & check it through nmap
[root@testvm ~]# nmap localhost
PORT STATE SERVICE
21/tcp open
ftp
22/tcp open
ssh
25/tcp open
smtp
30/tcp open
unknown
80/tcp open
http
443/tcp open
https
3306/tcp open mysql
8009/tcp open ajp13
8080/tcp open http-proxy
BROWERS
SNI is a newer Technology and most Browsers support it.
However it does not work in either IE6. Or any
Windows XP browser except for chrome 6 and later.
Desktop Browsers
Internet Explorer 7 and later
Firefox 2 and later
Opera 8 with TLS 1.1 enabled
Google Chrome:
Supported on
Windows XP on Chrome 6 and later
Supported on Vista
and later by default
OS X 10.5.7 in Chrome Version 5.0.342.0 and later
Chromium 11.0.696.28 and later
Safari 2.1 and later (requires OS X 10.5.6 and later or
Windows Vista and later).
Note: No versions of Internet Explorer on Windows XP
support SNI
Mobile Browsers
Mobile Safari for
iOS 4.0
Android 3.0
(Honeycomb) and later
Windows Phone 7
No comments:
Post a Comment