ispconfig allows SSL to be enabled on multiple sites with same IP

Discussion in 'General' started by ronee, Dec 6, 2012.

  1. ronee

    ronee Member HowtoForge Supporter

    Currently with ispconfig v3.0.4.6 it is possible to configure more than one site assigned to the same IP with SSL enabled.

    If there is a signed cert on one site and a self signed cert on another, the results appear to be inconsistent where the SSL data served is a strange hybrid between the two.

    I wanted to mention this as imho, ispconfig should only allow SSL to be enabled on a given site if no other sites assigned to that IP have SSL enabled. Changing the IP of an SSL enabled site should also be restricted so that two sites with SSL enabled are not inadvertently assigned to the same IP.

    This is particularly important where multiple users have access to various sites (but not all) on a given server, an accidental or unknowing change of IP by one user on an SSL enabled site can cause issues that are not immediately apparent.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This depends on the browser that you use. Take a look at wikipedia and search for sni ssl to get a list which browsers support sni.

    Beside that, the behaviour of your system depends on the settings that you have made in the ispconfig interface and the things you mentioned above are already avilable, you just have not enabled them. You can disable sni under System > server config > web if you dont want to allow multiple ssl sites on one IP or if you can not ensure that all users use a sni capable browser and you can assign a IP address to one customer if you want to ensure that no other customer uses it.

    As a genaral note, I use sni on several customer servers, it workks fine and the results are consistent.
  3. ronee

    ronee Member HowtoForge Supporter

    Thanks very much, Till, that makes sense.

    One other question about that -- is there a way within ispconfig to control which cert is to be used as the default certificate for those browsers / clients that do not support SNI?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    SNI sites behave the same like non ssl namebased vhosts. So if no domain matches the site(s), the first site in alphabetical order is shown that uses the same IP address. If you want a specific site to be shown first, just change the domain name.

    Example the site shall be shown first:

    1) Change the domain name in the site settings to
    2) Add as aliasdomain to the site
  5. forgefan

    forgefan New Member

    Till, with regard to the article about "Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL", is it possible to activate SNI and use the server's IP address for multiple SNI domains?

    In other words, in a situation where the server can only have 1 public IP address, is it possible to use the same IP address for both the ISPConfig SSL (for control panel, webmail and phpmyadmin) as well as for additional SNI SSL domains?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. but This is does not depend on sni as ispconfig listens on a different port.
  7. brody182

    brody182 Member

    when i enable sni in System > server config > web , and then go to sites -> web domain -> SSL, the ssL tab does not show up on clients account... is this a bug?

Share This Page