Hi,

I have set up a SSL site for my default Apache server. But i want to set up multiple SSL sites for multiple IP based as well as Name based Virtual hosts.

Is there a way where in I can include definitions for SSL certificates and keys within the Virtual Host directive in the httpd.conf, so that i can specify separate key and cert file for every Virtual Host.

The problem is that in order to know from which virtual host to serve content a
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host. It's really a limit of the protocol, not the server.

However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser.

Thanks

I guess you didn't understood my exact query. Let me explain you again. Lets say i have my apache running on this IP 192.168.120.180 and i have generated a SSL cert and key file for the Server(lets say Server Name site1.myserve.mydomain) and self signed and it is running fine. Now i want to do the following things :

1. Now lets say i create a new IP based Vhost with IP 192.168.120.185 (Server Name site2.myserve.mydomain) and i want to generate SSL cert and key file for it and run it as a SSL site.

2. I create a new name based Vhost on the same default IP which is 192.168.120.180 with the Server Name site2.myserve.mydomain and I want to run it as a SSL site.

So how can i do the following.

TIA...

Rohit i understood your problem completely. I elaborated limitation of https protocol. One thing you can do is start multiple instances of apache. Read my last post carefully and search google for "https SNI"

Thanks

Hey Thanks a lot Vishesh. Now i understand what you were trying to say. Thanks for the info.

Hey Vishesh,

I have one more issue, probably if you can help on that also it will be great. I have created multiple virtual hosts on a single IP address and however i have generated SSL certificate and key only for 1st named Vhost i.e. default Vhost.

It works perfectly fine when i'm opening the default named Vhost(site1.LinuxServ1.mydomain), the problem is it also keep on working for any other named Vhost also even if i haven't generated different key and cert file for it.

As to my knowledge it should work and shouldn't open via "Https", but it works and also serves the contents from the defualt server when opened via Https other shows its own index page when opened via Http.

Infact as many named Vhost i create without generating key and certs files keeps opening on a secure channel and contents keep getting served from default server.

So could you kindly explain on this.

I am pretty new to Linux so please ignore if have said something wrong but do correct me at that.

Thanks in advance..

Dear rohit,
When you use SSL , keep in mind that you doesn't access your vhost , but you access server securely. SSL certificate used for server can't for virtual host. One workaround could be specify port number for virtual hosts
<VirtualHost x.x.x.x:80>
Instead of
<VirtualHost x.x.x.x:*>

Thanks

I am not using it, it is by default using the certificate of default vhost for all the virtual vhosts. It is really driving me nuts. And by the way i am using the latest Apache 2.2.3 so version isn't the issue. I will post the httpd.conf file along with some snap shots from browser about whats happening. See if you can help.

Thanks

And one more thing then as you said, does that mean we can host multiple domains securely over one IP ??

We can host multiple vhost over one ip , but all will use same SSL Certificate .
Thanks

Thats the main issue.. Isnt there any way to overcome it ? That means if v are hosting multiple domains per IP then all will use the certificate of the default vhost n once that site will be accessed securely it ll serve contents of default vhost which is wrong n hence we can never serve contents of other domains securely ?? AM i right ?

As Vishesh was trying to explain to you, SSL web pages are identified by IP address, not host name. The secure connection is established BEFORE the requested host name. Consequently, using the standard SSL protocols, there is no way to distinguish which host is being requested. There is an alternate protocol called SNI, which stands for Server Name Indication. As far as I know, this protocol is still not supported in the standard SSL or in Apache, though because of the large demand it is (or was) planned for inclusion at a future date. There are some alternate protocols, such as GNU-TLS which does support SNI. You can configure Apache to use it, but you must also patch and compile it. Here is a link on another forum where I reference the process I used to successfully accomplish this: link. The links in that thread should give you enough information to incorporate this feature, if you wish. In addition to supporting it on the server side, it has been my experience that browsers need to support it too. At the time when I worked on this, Firefox supported it just fine, but IE-7 did not.