December 14, 2012

Multiple SSL Virtual Host with Apache : the SNI isssue

A short note of what I understood.

For french speaking persons, have a look here : Mimiz explained that much better than I do !

Before Apache 2.2.12, if you set up multiple Virtual Host with SSL configuration, you owuld end up with a warning like this :

[warn] vhost2 VirtualHost overlap on port 443, the first (vhost1) has precedence

You could set up as many SSL VHost configuration you want, on ly the first one would be used, sometime resulting in client warnings because wrong certificate was served.

From 2.2.12 and on, OpenSSL (shipped with Apache) uses the SSL extension named SNI (which stands for Server Name Identification). This extension allows Apache to send the right certificate, according to the domain requested.

But client AND server have to use this SNI thing, and of course some clients do not follow the rule...follow my gaze.

According to the wiki page :

No support

The following combinations do not support SNI:

In short, If you have to support IE on XP, you'll have to have as many IP addresses as desired domains.