Multiple domains with SSL on same IP

apache-2.2 ssl https certificate
26,246

Solution 1

I think it is a good idea how to explain what the problem really is with virtual hosts and SSL/TLS.

When you connect to an apache server over HTTP you send a set of http headers along. They look like this: 

GET /index.html HTTP/1.1
 Host: www.nice-puppies.com

If you have virtual hosting apache will look at the hosts field, then fetch the right index.html for you. The problem is when you add SSL/TLS. The server sets up the encryption before you ever send your http request. Therefor the server doesn't know if you are going to www.nice-puppies.com or www.evil-haxxor.com until after the authentication/encryption is completed. The server can not guess (as sending the wrong certificate gives you a nasty error message).

One solution is a wildcard certificate (as mentioned above), which is valid for *.nice-puppies.com. That way you can use the same cert for multiple domains, but you can't have a *.com certificate (okay, you can, but it would be very bad for everybody else), so in general you will need separate IP for each HTTPS domain.

Solution 2

The real solution to this problem is "Server Name Indication":

http://en.wikipedia.org/wiki/Server_Name_Indication

It's only starting to be rolled out into servers and web clients, so it's not really something you can use now, but hopefully in a few years' time this won't be as big of a problem.

Solution 3

The problem is that the SSL certificate is bound to the IP address not hostname. When the connection comes in on the IP address for an HTTPS request the first action is to establish the SSL communication by passing the server certificate and/or client certificate. During this stage of the connection handshake the Apache server has no way of knowing what the request about to come through is for. This is different for HTTP (non-SSL) traffic as after the connection is established the Apache server can determine the virtual host configuration to use if the client sends the Host header or else it hands it off to the first virtual host configured.

If you had multiple virtual hosts under the same domain you could setup a single wildcard certificate on the IP address and have multiple virtual hosts with different server names defined; however, if those server names are not under the same domain name they would generate client server errors. This would work as the wildcard certificate would be valid for all host names under that domain name. You would need another IP address if the domain names were different as the first certificate defined for that IP address would be the one presented for connecting clients.

Solution 4

Actually, with modern software you CAN serve multiple HTTPS sites over a single IP address, using a new feature called 'SNI - Server Name Indication'.

http://en.wikipedia.org/wiki/Server_Name_Indication

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

I have yet to use this myself, but it sounds good for internal and intranet sites. Most modern browsers support SNI. IE6 does not support SNI, but IE7 does.

(Correction: 20100426 -- SNI is not supported on Windows XP at all. Windows Vista and above do support SNI. See "Section 2.2.3" at http://msdn.microsoft.com/en-us/library/dd208005%28v=PROT.13%29.aspx#id8 ).

Solution 5

I am working on same issue. As my test, IE7 and later (Only in Win7 & Vista)/Chrome/Firefox/Safari/Opera support "Server Name Indication". In fact, if browser uses Tsl 1.0, It supports "Server Name Indication".

Share:
26,246

Related videos on Youtube

nitins
Author by

nitins

I am Nitin :)

Updated on September 17, 2022

Comments

  • nitins
    nitins almost 2 years

    I know that a dedicated IP is needed for setting up SSL. What happens if we add SSL for domains sharing an IP ? (Namevirtualhost)

  • bburro
    bburro over 14 years
    well i'm puzzled by the question. The Q's title says black the content says white.
  • bburro
    bburro over 14 years
    this is the white one
  • Sam Cogan
    Sam Cogan over 14 years
    Good explanation, but you could have a UC cert that will allow multiple domains in one cert
  • nitins
    nitins over 14 years
    You mean the certificate first added in Apache conf will be used for both ?
  • Warner
    Warner over 14 years
    Also SNI. Your statement is no longer definitive, pehrs. Your explanation is historically accurate but no longer reflects current technologies.
  • pehrs
    pehrs over 14 years
    SNI doesn't (yet?) work with IE6 on Windows XP. Which kind of limits the value, considering the market share. I believe the original user was more interested in what would happen than the set of hacks that exist to get around it.
  • user1807902
    user1807902 over 14 years
    If you have two certificates - for site A and B, and apache loads configuration for hosts in sequence A.conf, then B.conf, then it will use certificate from A.conf. Or vice versa.
  • Nasko
    Nasko about 14 years
    With IE, support doesn't come from the IE version, rather comes from the underlying OS version. Vista and above support SNI. XP doesn't, so even with IE8 on XP, you won't get SNI.
  • t316
    t316 almost 12 years
    Tried to correct the spelling mistake at the end SHTTP to HTTPS but this was rejected as too small an edit.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

iPhone: install certificate for SSL connection
Certificate issue: SSL page brings up "you need to set a lock screen pin or password before you can use credential storage" on Android
net::ERR_CERT_AUTHORITY_INVALID when trying to locally call to API
SSL certificate: incorrect order
Why Firefox alert me about HTTPs "Untrusted" Connection on Positivessl - Comodo certificate?
Solve untrusted self-signed certificate
SSL certificate: EE certificate key too weak
svn not accepting https/ssl certificate
Get a server's SSL/TLS certificate using "openssl s_client"
The certificate is not trusted because no issuer chain was provided