Setting Up SNI on Apache

Posted on August 15, 2011

One of the biggest technical obstacles with SSL is that you can only have 1 SSL certificate per IP address, at least traditionally. This means that for every SSL certificate you have, you need to requisition another IP address, which are somewhat at a premium. And another IP address means you have to move that site in DNS and manage all that new stuff.

Luckily, a new technical standard called Server Name Indication fixes the problem and allows name-based virtual hosts over SSL in the same manner as non-SSL.

Setup

Modern versions of Apache support SNI, so setup is actually quite easy and straightforward. The latest Ubuntu distribution comes with new versions of OpenSSL and Apache that support SNI out of the box.

Apache has nice wiki documentation that describes the steps:

  1. Add the SSL certificate to your virtual host, as you would normally. Make sure the virtual host has the correct ServerName/ServerAlias directives.
  2. Apache must be configured with NameVirtualHost for SSL. This is not included by default in the Ubuntu setup. (Add NameVirtualHost *:443 to ports.conf.)
  3. With SSL using name-based virtual hosts, the virtual hosts must be declared using <VirtualHost *:443>, not <VirtualHost _default_:443>. (The ports.conf file warns about this.)

That’s it! When you run apachectl -t, you should not see any errors or warnings. Running apachectl -S should indicate that SSL is now using name-based virtual hosts, for example:

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server secure.arrowquick.com (/etc/apache2/sites-enabled/default-ssl:2)
         port 443 namevhost secure.arrowquick.com (/etc/apache2/sites-enabled/default-ssl:2)
         port 443 namevhost www.wibwabweb.com (/etc/apache2/sites-enabled/wibwabweb-com:72)
*:80                   is a NameVirtualHost
         default server managedshared1.arrowquick.net (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost managedshared1.arrowquick.net (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost www.arrowquick.com (/etc/apache2/sites-enabled/arrowquick-com:1)
         port 80 namevhost collab.arrowquick.com (/etc/apache2/sites-enabled/collab-arrowquick-com:2)
         port 80 namevhost www.wibwabweb.com (/etc/apache2/sites-enabled/wibwabweb-com:5)

Restart Apache to apply the changes. As the wiki doc says, the Apache error log should say:

[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

If the log has the message:

You should not use name-based virtual hosts in conjunction with SSL!!

then SNI was not configured correctly (which would have likely seen similar errors from apachectl -t).

Warning

This is all great, but there is one downside: older browsers/computers don’t support SNI. Specifically, the following browsers don’t recognize the protocol:

  • Internet Explorer 6 and lower
  • any version of IE on Windows XP
  • Blackberry and many Android phones
  • older Windows/iOS/other mobile phones
  • very, very old browsers

If a browser does not support SNI, then the default virtual host will always be served (unless you turn on SSLStrictSNIVHostCheck, which results in failure).

This is usually not a problem, since these old browsers are rapidly disappearing and can be easily replaced with better, free versions. The only sticking point is if you still have a large audience base of an old browser, or mobile phones, or a lot of WinXP users that must be supported. Then you’ll have to fall back to an extra IP address.

Leave a Reply

  1.  

    |