This article describes how to setup SSL-enabled name-based virtual hosts — that is secure virtual hosts which share the same IP address and port — with SNI-capable mod_gnutls module for Apache’s httpd server.
Server Name Indication (SNI) is a TLS extension which makes the configuration of SSL-enabled name-based virtual hosts possible. The current version of OpenSSL — 0.98 at the time of writing — does not support SNI yet, but it is planned for the upcoming 0.99 release and there are already several patches out there to add SNI capabilities to 0.98. mod_gnutls is an experimental module for Apache’s httpd which includes support for SNI.
This setup has been performed on a server that runs on Debian/Lenny and uses no self-compiled programs/packages.
Installation:
In order to use mod_gnutls you need to install it from the repository of course, simply invoke:
1 2 | yourserver:~# apt-get update yourserver:~# apt-get install libapache2-mod-gnutls |
Then you need to enable mod_gnutls and disable mod_ssl:
1 2 | yourserver:~# a2enmod gnutls yourserver:~# a2dismod ssl |
Setup GnuTLS:
Now it is time to get rid off mod_ssl and its configuration directives like SSLEngine, SSLCertificateFile and so on in each of your virtual host definitions. Instead we will add the mod_gnutls directives here:
1 2 3 4 | GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /etc/apache2/ssl/apache.crt GnuTLSCertificateKey /etc/apache2/ssl/apache.key |
It is a good practise to check the server configuration after each changed virtual host. You can simply do this by invoking the following command:
1 2 | yourserver:~# apache2ctl configtest
Syntax OK |
If you see an error instead of the ‘Syntax OK’ message, you should carefully check the changes you made. Usually most errors are caused by typos.
Finalization:
Once you have been done with adjusting and checking your virtual hosts you are ready to reload the configuration of your webserver:
1 | yourserver:~# /etc/init.d/apache2 reload |
Conclusion:
With mod_gnutls, the server supports the SNI TLS extension. The virtual hosts are name-based, no matter which one you visit, the relevant certificate for each virtual host is used.
Even tough mod_gnutls works pretty well, it is still in experimental state. Therefore, performance issues should be considered as normal (but could not determine any so far).
Another important point to mention regards to SNI support in web browsers. Currently only these browsers have built-in support for SNI:
- Mozilla Firefox 2.0 or higher
- Opera 8.0 or higher
- Internet Explorer 7.0 or higher
- Safari 3.0 or higher, but not on WinXP
- Google Chrome, but not on WinXP
Thanks for the report, that’s want I was searching for ;)
It’s Wrong
GnuTLSCertificateKey /etc/apache2/ssl/apache.key
It’s Right
GnuTLSKeyFile /etc/apache2/ssl/apache.key
strange, it works with GnuTLSCertificateKey for mehttps://www.der-eremit.de/wp-admin/edit-comments.php#comments-form
by the way, i’ve missed one important point in my post. there’s an issue with firefox 3.5.x/3.6.x and gnutls: if you send large POST data (and that’s not that large as you might think, but couldn’t exactly determine how much you will need) this will fail in most cases. firefox tries to send the request about 6 times and quits with a blank white page.
Thanks to Carson Gee for the reminder.