Milos Zikic - Personal site, sharing thoughts about startups, products and engineering

Apache and NameBased SSL VHosts with SNI

In my company we have one server which needs to server various sites with the ability to have different certificates. Since it has 1 public IP address this can only be achieved through using SNI
SNI is available with GNUTLS and with OpenSSL starting from 0.9.8f.


Since this server is Centos 5.5 it doesn't come with the appropriate version of OpenSSL. In order to have this up and running best way to do it is to compile OpenSSL along with Apache httpd from the source. 


Prior to doing anything it is important to uninstall devel packages:
 yum remove {httpd,openssl}-devel

Now download OpenSSL 1.0.0a (you can use different version, but I worked with this):

  • wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
  • tar xzvf openssl-1.0.0a.tar.gz
  • cd openssl-1.0.0a
  • ./configure
  • make
  • make install
This will install it to the /usr/local/ssl. Now copy openssl from /usr/local/ssl/bin/openssl to /usr/bin/openssl.

Download latest apache http server source
  • wget http://mirror.candidhosting.com/pub/apache//httpd/httpd-2.2.17.tar.gz
  • tar xzvf httpd-2.2.17.tar.gz
  • cd httpd-2.2.17
  • and now it is important to enable ssl and specify path to openssl in the configure script. I included almost all of the apache modules here except Ldap (I had problems compiling it, and since we don't use it here I decided to leave it out). You can always compile additional modules if you like.
./configure --enable-so --enable-ssl --with-ssl=/usr/local/ssl \
--enable-auth-anon \
--enable-auth-dbm \
--enable-auth-digest \
--enable-cache \
--enable-cern-meta \
--enable-charset-lite \
--enable-dav \
--enable-dav-fs \
--enable-deflate \
--enable-disk-cache \
--enable-expires \
--enable-ext-filter \
--enable-file-cache \
--enable-headers \
--enable-info \
--enable-logio \
--enable-mem-cache \
--enable-mime-magic \
--enable-isapi \
--enable-proxy \
--enable-proxy-connect \
--enable-proxy-ftp \
--enable-proxy-http \
--enable-rewrite \
--enable-speling \
--enable-unique-id \
--enable-usertrack \
--enable-vhost-alias
  • when this is finished run
  • make
  • make install
  • This will put apache in the /usr/local/apache2 folder.
And you are ready to go.. now you can generate certificates per Host Name and add them to your Virtual Hosts and it will work.

Apache has a guide following this topic as well:
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

And here is great tutorial on OpenSSL usage:
http://www.tc.umn.edu/~brams006/selfsign.html


Share this post