Multiple SSL domains on the same IP address and same port?

For the most up-to-date information on Apache and SNI, including additional HTTP-Specific RFCs, please refer to the Apache Wiki

FYsI: “Multiple (different) SSL certificates on one IP” is brought to you by the magic of TLS Upgrading.
It works with newer Apache servers (2.2.x) and reasonably recent browsers (don’t know versions off the top of my head).

RFC 2817 (upgrading to TLS within HTTP/1.1) has the gory details, but basically it works for a lot of people (if not the majority).
You can reproduce the old funky behavior with openssl’s s_client command (or any “old enough” browser) though.

Edit to add: apparently curl can show you what’s happening here better than openssl:

SSLv3

mikeg@flexo% curl -v -v -v -3 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=wq8O9mhOSp9fY9JcmaJUrFNWWrANURzJ; C=CA; 
              O=staging.bossystem.org; OU=GT07932874;
              OU=See www.rapidssl.com/resources/cps (c)10;
              OU=Domain Control Validated - RapidSSL(R);
              CN=staging.bossystem.org
*    start date: 2010-02-03 18:53:53 GMT
*    expire date: 2011-02-06 13:21:08 GMT
* SSL: certificate subject name 'staging.bossystem.org'
       does not match target host name 'www.yummyskin.com'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'staging.bossystem.org'
does not match target host name 'www.yummyskin.com'

TLSv1

mikeg@flexo% curl -v -v -v -1 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: C=CA; O=www.yummyskin.com; OU=GT13670640;
              OU=See www.rapidssl.com/resources/cps (c)09;
              OU=Domain Control Validated - RapidSSL(R);
              CN=www.yummyskin.com
*    start date: 2009-04-24 15:48:15 GMT
*    expire date: 2010-04-25 15:48:15 GMT
*    common name: www.yummyskin.com (matched)
*    issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global eBusiness CA-1
*    SSL certificate verify ok.

Related Posts:

  1. Is it bad to redirect http to https?
  2. What is .crt and .key files and how to generate them?
  3. How do I select which Apache MPM to use?
  4. Redirect, Change URLs or Redirect HTTP to HTTPS in Apache – Everything You Ever Wanted to Know About mod_rewrite Rules but Were Afraid to Ask
  5. Finding out what user Apache is running as?
  6. Is it possible to generate RSA key without pass phrase?
  7. What does Apache’s “Require all granted” really do?
  8. How do I prevent apache from serving the .git directory?
  9. Proxy Error 502 “Reason: Error reading from remote server” with Apache 2.2.3 (Debian) mod_proxy and Jetty 6.1.18
  10. How does ServerName and ServerAlias work?
  11. Dealing with HTTP w00tw00t attacks
  12. Apache2 config variable is not defined
  13. Using variables in Apache config files to reduce duplication?
  14. How to get Apache2 to redirect to a subdirectory
  15. Why is the response on localhost so slow?
  16. Do you have any useful awk and grep scripts for parsing apache logs? [closed]
  17. apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
  18. TCP vs UDP – What is a TCP connection? [duplicate]
  19. ssh : Permission denied (publickey,gssapi-with-mic)
  20. Error in “MLSD” command While Connecting FTP to Server [closed]
  21. Java default constructor
  22. How do I make a delay in Java?
  23. did you specify the right host or port? error on Kubernetes
  24. How does Java’s PriorityQueue differ from a min-heap?
  25. No “Proceed Anyway” option on NET::ERR_CERT_INVALID in Chrome on MacOS
  26. What is a Memory Heap?
  27. 403 Forbidden vs 401 Unauthorized HTTP responses
  28. Advanced AREL or just Rails Query for has_many through search by association
  29. XPath contains(text(),’some string’) doesn’t work when used with node with more than one Text subnode
  30. Transport endpoint is not connected
  31. How to convert .crt to .pem [duplicate]
  32. pagebreak in markdown while creating pdf
  33. How do I correctly clean up a Python object?
  34. How do I split a string on a delimiter in Bash?
  35. Why does Wi-Fi have so much more bandwidth than Bluetooth?
  36. Convert .pem to .crt and .key
  37. Unable to verify leaf signature
  38. What is the definition of a “disparity map”?
  39. Alternative to ui-grid(doesn’t support angular2/4)
  40. Android java.lang.IllegalStateException: Could not execute method of the activity
  41. cURL error 60: SSL certificate: unable to get local issuer certificate
  42. SwiftUI – How do I change the background color of a View?
  43. How to resolve the error java.net.SocketException: Too many open files
  44. Using map in Haskell
  45. What exactly is cacert.pem for?
  46. node-request – Getting error “SSL23_GET_SERVER_HELLO:unknown protocol”
  47. Downgrade npm to an older version
  48. Mongoose.js: remove collection or DB
  49. slideToggle JQuery right to left
  50. Valgrind Invalid free() / delete / delete[] / realloc() in C
  51. Devise lockable – How to unlock account using unlock_in
  52. How to bind multiple values to a single WPF TextBlock?
  53. reversing list in Lisp
  54. How to disable Windows Update Medic Service?
  55. Systrace for Windows
  56. Good way to encapsulate Integer.parseInt()
  57. TCP/IP packets and datagrams
  58. ArrayList of int array in java
  59. 2CHECKOUT ERROR CODE:PE102
  60. Android Debugging Failing With “Couldn’t connect to logcat, GetProcessId returned: 0” FFImageLoading.Platform.dll.so Not Found
  61. PHP – Indirect modification of overloaded property
  62. WordPress wp-admin https redirect loop
  63. Run WordPress frontend and backend in different domains
  64. use wp_get_theme() to get theme author name
  65. Enabling SSL on wordpress results in 404
  66. Displaying a message when plug-in is deactivated
  67. Save and Publish button not working after installing SSL
  68. 403 error on admin login page
  69. After installing ssl certificate images won’t show
  70. XML asset fails to load using https
  71. get_previous_post in same categories
  72. How can I force users to a particular subdomain to log in for MU (Multisite)?
  73. How to change the paginated posts link class?
  74. How use custom image size + ACF + background image
  75. Pass AJAX variable to PHP functions WordPress plugin
  76. How to protect login via SSL but not the rest of the dashboard
  77. Add query args if website open in mobile
  78. Is the default value of FORCE_SSL_ADMIN documented?
  79. Website Migration (with https) to a new domain(http)
  80. A little stumped – first WordPress theme
  81. Display shortcode based on user meta
  82. Woocommerce Image Categorie Page
  83. Hide image on homepage [closed]
  84. Create a new hyperlink to wordpress blog
  85. PHP Warning:fread(): SSL: Connection reset by peer in /var/www/html/wp-includes/class-wp-http-streams.php line 269
  86. WordPress Login / SSL = Code Question
  87. How to map secure.domain.com to www.domain.com or domain.com with “WordPress MU Domain Mapping” on the primary multisite domain?
  88. SSL/HTTPS Redirect Loop
  89. Generate all urls with https
  90. How do I set the global PATH environment variable on OS X?
  91. nmap find all alive hostnames and IPs in LAN
  92. Should CNAME Be Used For Subdomains?
  93. How do I create user accounts from the Terminal in Mac OS X 10.5?
  94. How to get a .pem file from ssh key pair?
  95. How to inspect remote SMTP server’s TLS certificate?
  96. Choosing between meaningful and meaningless hostnames [closed]
  97. logrotating files in a directories and its subdirectories
  98. Multiple TXT fields for same subdomain
  99. How to restart Nginx on Mac OS X?
  100. Do SPF Records For Primary Domain apply to subdomains?

Leave a Comment

tech