[olug] SSL for Multiple Apache Named VirtualHosts on a single IP?

Charles Bird cbird.omaha at gmail.com
Fri Mar 5 05:39:16 UTC 2010 

lol


On Thu, Mar 4, 2010 at 11:37 PM, <aric at omahax.com> wrote:

> TLS SNI!!!!!
>
> Awesome!  No more ghetto SRV record dnsmasq NATery????!!!!!
>
> On Thu, 04 Mar 2010 22:00:35 -0600, Phil Brutsche <phil at brutsche.us>
> wrote:
> > Your frustration has nothing to do with SSL or TLS but with traditional
> > HTTPS implementations.
> >
> > Traditionally HTTPS is SSL-on-connect - you connect to port 443 and
> > immediately begin negotiating your SSL or TLS session. *Then* you begin
> > your HTTP protocol chatter, which includes the Host header.
> >
> > The *only* way to do what you want with traditional HTTPS is with
> > wildcard certificates.
> >
> > The modern way to do SSL/TLS is to connect to the plain-text port,
> > exchange capabilities information to verify the server is capable of
> > upgrading to an encrypting session, and issuing the command to do so.
> > The command is typically STARTTLS, as implemented by numerous SMTP and
> > IMAP daemons.
> >
> > That is not the only way to do it, however, and that is not the method
> > HTTP daemons and web browsers have chosen.
> >
> > The industry has been coalescing around an extension to the TLS protocol
> > that exchanges server name information as part of the TLS negotiation.
> > The extension is defined in RFCs 4366 and 4346. It is referred to as the
> > TLS SNI extension.
> >
> > More details: http://en.wikipedia.org/wiki/Server_Name_Indication
> >
> > Rob Townley wrote:
> >> OS = CentOS 5.4
> >>
> >> Apache 2 by itself is  not  capable of supporting more than one SSL
> >> enabled name based virtual host on the same numeric IP address.  So
> >> each VirtualHost effectively needs its own IP.  Are Apache's
> >> limitations true even of wildcard SSL certificates?
> >> http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
> >>
>
> http://askcolddrink.blogspot.com/2007/03/apache-httpd-virtual-hosts-and-ssl.html
> >>
> >> That is frustrating because the SSL Certificate itself is not tied to
> >> an IP address, but the SSL protocol seems to force the binding to a
> >> single IP name.  Security has got to be easier than this this by now.
> >> i compiled and wrote OpenSSL windows services 10 years ago, so i am
> >> rusty.   But i do remember TLS promised something better, but the
> >> browsers didn't support it.   These are internal private only web
> >> servers, so i can add more numeric IP addresses, but i would much
> >> rather not have that overhead.
> >>
> >> I.]  There has got to be an easier ready-to-go framework running on
> >> top of Apache to facilitate a way to handle multiple name based SSL
> >> VirtualHosts on the same IP?  Hibernate? Spring? Joomla?  Drupal?
> >> Which one would work best for forcing https on the login pages for
> >> various sysadmin pages such as FreeGhost, drbl, ocsinventory-ng, rt,
> >> phpMyAdmin each with their own subdomain name?
> >>
> >> II.]  If all the VirtualHosts are in the same domain name and that
> >> domain name has a wildcard SSL certificate, is there some way around
> >> Apache's limitations?
> >>
> >>   A.) Self generated *.DomainName.com WildCard SSL certificate.
> >>   B.) VirtualHosts all within that same *.DomainName.com wildcard.
> >>   C.) ServerNameAlias  with all the different server names in a single
> >> VirtualHost entry.
> >>   D.) Perl / Python / PHP script that reads the client's host
> >> directive and then rewrites it to somewhere else maybe using
> >> VirtualDocumentRoot.
> >>
> >>
> >>
> >> III.] Something involving reverse proxy but that is overkill.
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list