HTTPS, SNI, and gnutls breadcrumbs

I am not going to get into details on the subject, just will mention some keywords (“breadcrumbs”) – and you should be able to google the rest.

The issue at hand: I needed to host two websites on the same server and both sites needed to be secured with SSL. When you try this for the first time you will quickly run into unpleasant discovery of the fact that you can only have one certificate active per IP address, which means that when you have virtual hosts then only one of them can be secured out of the box so to speak.

Simplest solution around this limitation would probably be to use unified communication certificate but it was impractical for my purposes: I already bought two separate certificates and did not want to do another investment (it’s not too much though: you can get a certificate for five sites at around $75 per year or so at GoDaddy for example).

Next possible solution was to run https on different ports for different sites: even though you’ll find claims that a cert is limited to an IP address – it’s actually to IP address plus port number therefore you can run https on port 1443 for one domain name and on 2443 for another for example. I did go this route at first. For seamless user experience I opened ports 1443 and 2443 in my router (443 was open already) and then set up redirection with mod_rewrite (LAMP, free as in beer, remember?) for each site. Things worked this way successfully – but I ran into issues with my shopping cart software package and did not feel like troubleshooting those (apparently, they have some validation checks, which hardcodedly expect port 443).

So – a little more searching the net – and here come gnutls and SNI

http://en.wikipedia.org/wiki/GnuTLS
http://en.wikipedia.org/wiki/Server_Name_Indication

gnutls is not packaged into Ubuntu 8.04 (the LTS version I set my server with) therefore to avoid hassles of compilation I ended up upgrading to 9.10 (karmic). After that,

apt-get libapache2-mod-gnutls

with appropriate apache configuration did the trick.

Nota Bene: make sure to learn limitations of SNI. Such, quite ironically in my opinion, Konqueror is one of the browsers, which does not process such responses correctly.

Another thing: I suspect that fairly soon (within a year from the date of posting this message) SNI support will be built into ssl mode directly so there will be no need for all this trickery.

 


 

You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.