Apache 無法在單一IP建置SSL給多個 Virtual Host (name-based)使用,也就是說 SSL 服務只能在 ip-based 底下使用,

Apache 官網 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts 說明了一切

Why can’t I use SSL with name-based/non-IP-based virtual hosts?
The reason is very technical, and a somewhat “chicken and egg” problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!

http://help.directadmin.com/item.php?id=89

Why do I need an owned IP for my own SSL certificate? Last Modified: Oct 26, 2005, 3:20 pm
The reason you must have your own IP address when you want to use your own SSL certificate (when you don’t want the server wide shared certificate) is because of the way SSL and apache (httpd) works.
For name based webhosting (when many domains are on one IP) the web browser will pass the name of the domain being requested inside the httpd headers along with the request. This way, apache knows which domain you are trying to access even though there are many domains on that one IP address.
When you do the same thing through an SSL connection, the connection has to be made *before* the request can be sent. In this connection, the certificate is passed. The only information that apache knows before the request is made is which IP the connection is being made to. It has to be able to know which certificate to send before the request is made, thus you can’t use mutiple certificates on the same IP (if you do, apache will use the first certificate listed which DA will always set to the server shared certificate for shared IPs).
If you want to use your own certificate, it must be the first certificate listed. This wouldn’t work for a shared IP, because there would multiple domain wanting this status, and the first certificate would the one shown. For this resaon the shared certificate is always used on a shared IP. For your certificate, DA will aknowledge the IP as being ‘owned’ and will remove the server shared certificate as the first cert to be loaded, thus your certificate will be loaded instead.

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

SSL一開始的連線要求並沒有包含任何網址名稱,只會傳回它最先找到的第一個設定(即設定在最前面的),所以它不能區別那個SSL是那個網址在用。

也可以這麼理解,因為 IP 跑的比較快,在 Server 接收到封包時,先收到 IP 資訊,傳回 Clinet 也是以 IP 作溝通,(不知比喻的好不好),所以大家看到的 SSL 會是同一個。

http://www.outoforder.cc/projects/apache/mod_gnutls/ 提出來這個東西 mod_gnutls

 

Abstract
mod_gnutls uses the GnuTLS library to provide SSL 3.0, TLS 1.0 and TLS 1.1 encryption for Apache HTTPD. It is similar to mod_ssl  in purpose, but does not use  OpenSSL.

Warning
Warning: mod_gnutls is a new module and requires extensive testing. You can help us by trying mod_gnutls and reporting any issues you encounter.

Features
。Support for SSL 3.0, TLS 1.0 and TLS 1.1.
。Support for client certificates.
。Support for RFC 5081 OpenPGP certificate authentication.
。Support for RFC 5054 SRP authentication.
Support for Server Name Indication.
。Distributed SSL Session Cache via Memcached
。Local SSL Session Cache using DBM
。Sets enviromental vars for scripts (compatible with mod_ssl vars)
。Small and focused code base:
Lines of code in mod_gnutls: 3,593
Lines of code in mod_ssl: 15,324

mod_gnutls 使用了 Server Name Indication (SNI) 的方式
http://www.outoforder.cc/projects/apache/mod_gnutls/sni/

SNI test servers
Server name indication is a way for HTTP TLS clients to indicate the name of the server they are connecting to. This allows multiple TLS virtual hosts on a single IP. The protocol is described in RFC 3546.

To test the Server Name Indication support of mod_gnutls. Use the following (virtual) servers:

test1.gnutls.org: X.509v3 server certificate and SRP authentication.
test2.gnutls.org: X.509v3 server certificate with subject alternative name set and SRP authentication. It requests a client certificate.
test3.gnutls.org: X.509v1 server certificate

http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

This article describes how to implement SSL-enabled name-based vhosts – that is secure virtual hosts which share the same IP address and port – with the SNI-capable mod_gnutls module for Apache’s httpd web server.

Server Name Indication (SNI), as described in section 3.1 of the RFC3546, is a TLS extension which makes the configuration of SSL-enabled name-based virtual hosts possible. This extention eliminates the need for the assignment of one IP address per secure virtual host, therefore the cost for secure web hosting is greatly reduced, as all secure virtual hosts can share the same IP address and port combination. SNI is a huge step forward as it promotes security by making secure web services easier and cheaper to implement. The current version of OpenSSL – 0.98 at the time of writing – does not support SNI yet, but this is planned for the upcoming 0.99 release. On the other hand, mod_gnutls, an experimental module for Apache’s httpd which has been around for 2+ years, includes support for SNI.

相關資訊

cuteneko 大師說:

主要是因為SSL協定層是在HTTP協定層下面的,當SSL連線建立時,SSL模組在Web模組之前就先和瀏覽器進行通訊並交換憑證、建立加密。Web伺服器是通過HTTP資料封包中的”Host”欄位來區分虛擬主機的。當SSL模組在把伺服器憑證發送到瀏覽器時,還沒有收到任何關於HTTP的封包,更不知道虛擬主機的網域名稱,因此SSL模組只能固定將一SSL憑證發送到瀏覽器,而不能根據網域名稱有選擇性的發送憑證。
因此,您無法在一個IP位址的預設的SSL 443埠下為多個虛擬主機安裝多張憑證。

由於一個IP與一個埠號只能對應一張憑證,因此虛擬主機的可能的解決方案如下:

1、為需要SSL加密的虛擬主機配置不同的IP位址,埠號都使用443。例如: www.domain1.comSSL使用 202.96.101.1:443 www.domain2.comSSL使用 202.96.101.2:443,通過 https://www.domain1.comhttps://www.domain2.com 訪問這2個SSL網站了

2、如果只有一個IP位址,可以為多個網站配置不同的SSL埠。例如: www.domain1.comSSL使用 202.96.101.1:443 www.domain2.comSSL使用 202.96.101.1:1000,通過 https://www.domain1.comhttps://www.domain2.com:1000 訪問這2個SSL網站了

 

http://www.itis.tw/node/851
http://blog.seety.org/everydaywork/2005/9/28/408/

直接在 Certificate 中塞進多個 CN
缺點: 在 https 跳出 certificate verification 對話框的時候多按幾個滑鼠
Related posts 相關文章
apache httpd 2.4.58 有些安全性更新
More...
用 DNSSEC 是為了安全,但如果憑證過期了怎麼辦
More...
使用 dehydrated 安裝 Let’s Encrypt SSL 憑證
More...
使用 certbot 安裝 Let’s Encrypt SSL 憑證
More...

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。