views:

1113

answers:

5

I have a web-server, that serves different domain-names, but has only one IP-address assigned. That works fine with virtual hosts in Apache. Now I want SSL-encrypted connections for the websites. How can I set different SSL-certificates for the different vhosts?

Using different IP's for the different hostnames would be an solution - not very elegant but possible. But I want to know, how I can use different SSL-certificates for different vhosts. So I look for a solution with only one IP-address.

+5  A: 

SSL Hosts must be tied to a unique IP address/port combination, thus you cannot use virtual hosting (Or at least, it can only have one ssl host per IP address). This is due to the fact that https begins encryption before the Host: parameter is sent in http, and thus it cannot determine which cipher to use from the hostname - all it has is the IP address.

This would be silly easy to fix if HTTP had a TLS command so it could start SSL after asking for the hostname, but no one asked me.

For the definitive answer, see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

DGM
Actually, there is RFC 2817 now, which does allow to TLS-upgrade in a HTTP connection. It's implemented in Apache.
Martin v. Löwis
But do browsers support it yet?
DGM
+2  A: 

AFAIK it's not possible to set up different SSL certificates for name-based virtual hosts using mod_ssl. You can read the detailed reason here. An alternative would be using IP based virtual hosts (Which is probably not possible / not a very satisfying solution) - just insert different SSLCertificateFile directives, or you could try this method using mod_gnutls.

VolkA
Wow, that RFC for SNI was started in 2003 and yet it still hasn't caught on? I'm intrigued by the claim that the browsers already support it though.
DGM
+3  A: 

After hints in the answers given and comments to it (especially by Martin v. Löwis) I did some googling and found this website about RFC 2817 and RFC 3546. RFC 3546 seems to be a good solution.

Mnementh
+1  A: 

You will need a separate IP:port combination for each vhost.

RFC 3546 is not feasible yet. IE only supports it when running under Vista, and last I checked Safari doesn't manage it either.

bobince
Yes, the browsers supporting this feature are restricted, but it is one possible solution. A pity, that no 'right' solution exists. RFC 3546 seems the best hope for a good solution. For the time you must order more IP's or restrict the browsers.
Mnementh
Yes, or the ugly temporary solution of running on a different port. RFC3546 will happen, but that day is still unfortunately a long way off.
bobince
+1  A: 

While everything DGM mentioned is true, there have been some attempts to get around the requirement for a unique IP address for every certificate including mod_gnutls and using TLS extensions. There are some drawbacks but they may be acceptable to you.

Robert