ssl with name based host-possible!!!!

Discussion in 'Installation/Configuration' started by u4david, Dec 18, 2009.

  1. u4david

    u4david New Member

    Can anyone tell me if this can be implemented on Ispconfig3 system?
    It is prooven to work so why are we not having any support for that?


    This info is copied from google search:

    TLS/SSL and name-based Apache virtual hosts using mod_ssl

    With the introduction of the TLS SNI extension (transport layer security server name indication), name-based virtual hosts (i.e. virtual hosts sharing the same IP address) can now use distinct SSL certificates.

    Here’s how to configure TLS SNI on Gentoo, using Apache:

    1) DON’T try to set up TLS SNI using mod_gnutls. When I tried it on January 30, 2009, mod_gnutls still seemed to be too experimental and unstable for reliable TLS SNI (I observed some non-deterministic behaviour).

    2) It does work fine though with a reasonably current version of OpenSSL and a patched Apache mod_ssl. And here, Gentoo shines once again: With Gentoo, you don’t need to manually patch Apache or OpenSSL! All you have to do is add the “sni” use flag to Apache in /etc/portage/package.use:

    www-servers/apache sni

    and remerge Apache (’emerge -auDNv apache’).

    Note that Gentoo’s OpenSSL is already SNI-enabled by default (since openssl-0.9.8g-r2.ebuild) – remerge/update OpenSSL if required.

    The configuration of SNI-enabled name-based virtual hosts in Apache is transparent, i.e. works the same way as for SSL-enabled, non-SNI name-based virtual hosts (of course you’ll want to use different certificates for every virtual host and specify them, as explained on Kaspar Brand’s TLS SNI test site).

    Let me know how to do such think on Ispconfig3 system.
    Thank you
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    TLS-SNI is a patch for apache to support namebesed ssl hosts. It is not part of the apache packages on the majoor linux distributions. If TLS-SNI is available on the major distributions as official apache extension, then we will implement this too. Until now, nobody can use it without recompiling apache. It also works only with newer webbrowsers.
  3. u4david

    u4david New Member

    on the ice

    I did found the browser support limit.
    That is the only think holding me back right now,that is that I could expect some page loading issues on some amount of older browsers.

    Is Apache 2.2 have this future build in?
    If so ISP3config installed on such web server could be configured with name based hosts +ssl?
    Last edited: Dec 18, 2009

Share This Page