SSL-enabled name-based virtual hosts with mod_gnutls
This article describes how to setup SSL-enabled name-based virtual hosts — that is secure virtual hosts which share the same IP address and port — with SNI-capable mod_gnutls module for Apache’s httpd server.
Server Name Indication (SNI) is a TLS extension which makes the configuration of SSL-enabled name-based virtual hosts possible. The current version of OpenSSL — 0.98 at the time of writing — does not support SNI yet, but it is planned for the upcoming 0.99 release and there are already several patches out there to add SNI capabilities to 0.98. mod_gnutls is an experimental module for Apache’s httpd which includes support for SNI.
This setup has been performed on a server that runs on Debian/Lenny and uses no self-compiled programs/packages.
In order to use mod_gnutls you need to install it from the repository of course, simply invoke:
yourserver:~# apt-get update yourserver:~# apt-get install libapache2-mod-gnutls
Then you need to enable mod_gnutls and disable mod_ssl:
yourserver:~# a2enmod gnutls yourserver:~# a2dismod ssl
Now it is time to get rid off mod_ssl and its configuration directives like SSLEngine, SSLCertificateFile and so on in each of your virtual host definitions. Instead we will add the mod_gnutls directives here:
GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /etc/apache2/ssl/apache.crt GnuTLSCertificateKey /etc/apache2/ssl/apache.key
It is a good practise to check the server configuration after each changed virtual host. You can simply do this by invoking the following command:
yourserver:~# apache2ctl configtest Syntax OK
If you see an error instead of the ‘Syntax OK’ message, you should carefully check the changes you made. Usually most errors are caused by typos.
Once you have been done with adjusting and checking your virtual hosts you are ready to reload the configuration of your webserver:
yourserver:~# /etc/init.d/apache2 reload
With mod_gnutls, the server supports the SNI TLS extension. The virtual hosts are name-based, no matter which one you visit, the relevant certificate for each virtual host is used.
Even tough mod_gnutls works pretty well, it is still in experimental state. Therefore, performance issues should be considered as normal (but could not determine any so far).
Another important point to mention regards to SNI support in web browsers. Currently only these browsers have built-in support for SNI:
- Mozilla Firefox 2.0 or higher
- Opera 8.0 or higher
- Internet Explorer 7.0 or higher
- Safari 3.0 or higher, but not on WinXP
- Google Chrome, but not on WinXP