Apache, SSL/TSL and SNI status

I’m trying to host my handful of web sites on Amazon, but in EC2 machines there’s support for only one IP (private and public) and, as you know, SSL/TLS encryption let you have only one domain name per IP address: this is a heavy limit (with a reason), but it’s unacceptable for some reasons (public IP addresses scarcity, cost and management overhead).

Besides other solutions (multi-domain certs for example), I would like to go for the most reasonable way: virtual hosted SSL/TLS web sites, exactly the same way we all use today for non-encrypted web sites. I use Apache and for it there are a couple of solutions in the works that implement SNI or Server Name Indication: an extension to TLS protocol that “… permits the client to request the domain name, before the certificate is committed to by the server”. The support in browsers can be also a problem, but every recent browser supports it (with the exception of IE 6 and 7, apart from Vista); try your browser here.

The solutions I found involve are three (I don’t exclude there are other ones):

  • mod_ssl: the standard Apache SSL/TLS modules, which in turn is based on OpenSSL
  • mod_gnutls: uses the GnuTLS library and not OpenSSL
  • using a SNI-aware web server (like lighttpd or nginx) as frontend/proxy, but this can generate some administrative overhead because I don’t know them at all.

OpenSSL is in fact part of the problem: the support for SNI was introduced in v. 0.9.8f (October 2007) as a TLS extension and fixed in a later version, but these are enabled by default only in 0.9.8j (January 2009). There also no official support yet in mod_ssl for Apache 2.2 (apart from some code and patches for the current and development Apache versions, see here and here).

I finally decided to try the mod_gnutls module way: because of some dependencies on my Centos 5.2 test environment (libgcrypt and GnuTLS itself) it took me some time, but now I have a working SNI web server with how many secure web sites I want (and user’s browsers permit) with only one IP address.

BTW, if you need to generate self-signed certificates, look here.

Update: I used nginx without too much worries, compiled latest version with this command and substituded the official Centos 5.2 version after installing it (don’t do it!), and used it as a proxy in front of apache:

./configure --prefix=/usr --sbin-path=/usr/sbin/nginx \
 --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log \
 --pid-path=/var/run/nginx.pid  --lock-path=/var/lock/subsys/nginx \
 --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module \
 --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log \
 --http-client-body-temp-path=/var/lib/nginx/tmp/client_body/ \
 --http-proxy-temp-path=/var/lib/nginx/tmp/proxy/ \
 --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi/ \
 --with-openssl=../openssl-0.9.8k/

Update: found this way to host traditional SSL sites on the same server on EC2 (apart from unified certificates that are difficult to maintain).

4 thoughts on “Apache, SSL/TSL and SNI status

  1. Pingback: Apache, SSL/TSL and SNI status | Suporte de Informática

  2. Hi,

    I installed mod_gnutls on my apache ec2 server (ubuntu). However it is acting as if SNI isn’t enabled and I’m getting a name mismatch error on the second vhost using gnutls. Any ideas?

    –J

  3. Keep in mind that this only works on some browsers!

    Firefix supports SNI everywhere but IE only supports it on Vista/Win7. Chrome does not support SNI on XP.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>