Dave's Brain

Browse - Computer Tips - Apache says "[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!".

Date: 2008jan31
Product: Apache
 
Q.  Apache says "[warn] Init: You should not use name-based virtual hosts in conjunction with SSL!!".
Is this for real?

A.  Well, yes and no.
The Apache FAQ says (in part):

Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts? Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server. It comes as rather a shock to learn that it is impossible. ... Read more at http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2
So, yes, officially you need one IP-address or port per SSL host. But what if you aren't running a bank website and just want some encryption? There will be warning about self-signed certificates anyways. It would be nice to have a separate certificate file for each name-based SSL host, like this:
<VirtualHost example1.com:443> SSLCertificateFile /etc/pki/tls/certs/example1.com.pem ... </VirtualHost> <VirtualHost example2.com:443> SSLCertificateFile /etc/pki/tls/certs/example2.com.pem ... </VirtualHost>
However this doesn't work as expected. It just uses the first one for all. If a user goes to https://example2.com they get a popup saying the certificate is self-signed and for site example1.com. They can understand that it's self-signed but being for another site?! That's extra off-putting. So instead, I create a generic self-signed certificate that doesn't mention any site. Just enter "no-site" or "none", etc for the host name when creating the certificate. Setup your name-based virtual hosts like this:
<VirtualHost example1.com:443> SSLCertificateFile /etc/pki/tls/certs/generic.pem ... </VirtualHost> <VirtualHost example2.com:443> SSLCertificateFile /etc/pki/tls/certs/generic.pem ... </VirtualHost>
This works. Its not pretty but it works. When you visit a site like this your browsers asks you if you want to temporarily or permanently accept the certificate. If you answer "temporarily" then you won't get any conflicts. But its hard to make all your users do this. Server Name Indication promises to fix this. http://en.wikipedia.org/wiki/Server_Name_Indication

Add a comment

Sign in to add a comment
Copyright © 2008-2017, dave - Code samples on Dave's Brain is licensed under the Creative Commons Attribution 2.5 License. However other material, including English text has all rights reserved.