Apache 無法在單一IP建置SSL給多個 Virtual Host (name-based)使用,也就是說 SSL 服務只能在 ip-based 底下使用,

Apache 官網 http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts 說明了一切

Why can’t I use SSL with name-based/non-IP-based virtual hosts?
The reason is very technical, and a somewhat “chicken and egg” problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!


Why do I need an owned IP for my own SSL certificate? Last Modified: Oct 26, 2005, 3:20 pm
The reason you must have your own IP address when you want to use your own SSL certificate (when you don’t want the server wide shared certificate) is because of the way SSL and apache (httpd) works.
For name based webhosting (when many domains are on one IP) the web browser will pass the name of the domain being requested inside the httpd headers along with the request. This way, apache knows which domain you are trying to access even though there are many domains on that one IP address.
When you do the same thing through an SSL connection, the connection has to be made *before* the request can be sent. In this connection, the certificate is passed. The only information that apache knows before the request is made is which IP the connection is being made to. It has to be able to know which certificate to send before the request is made, thus you can’t use mutiple certificates on the same IP (if you do, apache will use the first certificate listed which DA will always set to the server shared certificate for shared IPs).
If you want to use your own certificate, it must be the first certificate listed. This wouldn’t work for a shared IP, because there would multiple domain wanting this status, and the first certificate would the one shown. For this resaon the shared certificate is always used on a shared IP. For your certificate, DA will aknowledge the IP as being ‘owned’ and will remove the server shared certificate as the first cert to be loaded, thus your certificate will be loaded instead.


The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.


也可以這麼理解,因為 IP 跑的比較快,在 Server 接收到封包時,先收到 IP 資訊,傳回 Clinet 也是以 IP 作溝通,(不知比喻的好不好),所以大家看到的 SSL 會是同一個。

http://www.outoforder.cc/projects/apache/mod_gnutls/ 提出來這個東西 mod_gnutls


mod_gnutls uses the GnuTLS library to provide SSL 3.0, TLS 1.0 and TLS 1.1 encryption for Apache HTTPD. It is similar to mod_ssl  in purpose, but does not use  OpenSSL.

Warning: mod_gnutls is a new module and requires extensive testing. You can help us by trying mod_gnutls and reporting any issues you encounter.

。Support for SSL 3.0, TLS 1.0 and TLS 1.1.
。Support for client certificates.
。Support for RFC 5081 OpenPGP certificate authentication.
。Support for RFC 5054 SRP authentication.
Support for Server Name Indication.
。Distributed SSL Session Cache via Memcached
。Local SSL Session Cache using DBM
。Sets enviromental vars for scripts (compatible with mod_ssl vars)
。Small and focused code base:
Lines of code in mod_gnutls: 3,593
Lines of code in mod_ssl: 15,324

mod_gnutls 使用了 Server Name Indication (SNI) 的方式

SNI test servers
Server name indication is a way for HTTP TLS clients to indicate the name of the server they are connecting to. This allows multiple TLS virtual hosts on a single IP. The protocol is described in RFC 3546.

To test the Server Name Indication support of mod_gnutls. Use the following (virtual) servers:

test1.gnutls.org: X.509v3 server certificate and SRP authentication.
test2.gnutls.org: X.509v3 server certificate with subject alternative name set and SRP authentication. It requests a client certificate.
test3.gnutls.org: X.509v1 server certificate


This article describes how to implement SSL-enabled name-based vhosts – that is secure virtual hosts which share the same IP address and port – with the SNI-capable mod_gnutls module for Apache’s httpd web server.

Server Name Indication (SNI), as described in section 3.1 of the RFC3546, is a TLS extension which makes the configuration of SSL-enabled name-based virtual hosts possible. This extention eliminates the need for the assignment of one IP address per secure virtual host, therefore the cost for secure web hosting is greatly reduced, as all secure virtual hosts can share the same IP address and port combination. SNI is a huge step forward as it promotes security by making secure web services easier and cheaper to implement. The current version of OpenSSL – 0.98 at the time of writing – does not support SNI yet, but this is planned for the upcoming 0.99 release. On the other hand, mod_gnutls, an experimental module for Apache’s httpd which has been around for 2+ years, includes support for SNI.


cuteneko 大師說:

因此,您無法在一個IP位址的預設的SSL 443埠下為多個虛擬主機安裝多張憑證。


1、為需要SSL加密的虛擬主機配置不同的IP位址,埠號都使用443。例如: www.domain1.comSSL使用 www.domain2.comSSL使用,通過 https://www.domain1.comhttps://www.domain2.com 訪問這2個SSL網站了

2、如果只有一個IP位址,可以為多個網站配置不同的SSL埠。例如: www.domain1.comSSL使用 www.domain2.comSSL使用,通過 https://www.domain1.comhttps://www.domain2.com:1000 訪問這2個SSL網站了



直接在 Certificate 中塞進多個 CN
缺點: 在 https 跳出 certificate verification 對話框的時候多按幾個滑鼠
Related posts 相關文章
apache httpd 2.4.58 有些安全性更新
用 DNSSEC 是為了安全,但如果憑證過期了怎麼辦
使用 dehydrated 安裝 Let’s Encrypt SSL 憑證
使用 certbot 安裝 Let’s Encrypt SSL 憑證