Bug 54385 - SSL configuration independent from virtual hosts, automatic certificate selection.
Summary: SSL configuration independent from virtual hosts, automatic certificate selec...
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-01-08 09:57 UTC by Joachim Breitner
Modified: 2013-01-08 10:02 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Joachim Breitner 2013-01-08 09:57:23 UTC
With one certificate covering all hosted domains (using wildcard domains and/or subject alternative name entries), it is possible to
 * have all SSL configuration in one place.
 * define one virtual host once and serve both HTTP and HTTPs

This works by having only one virtual host with ssl configuration. This virtual host is not actually used (and the ServerName may be anything): Before the SSL handshake, apache looks only at that virtual host, sends the certificate, then recieves the request with the Host: header and re-selects the right virtual host.

It is not possible to obtain the same level of convenience with multiple certificates and SNI: Now I do need to configure SSL for each virtual host idependently. Worse, I need to duplicate every virtual host configuration, because the same configuration can no longer server both SSL and non-SSL (unless the patch in 47256 is included).

Worse: If I have  larger number of domains that I want to handle in a single virtual host (e.g. using mod_rewirte magic), I still need to duplicate the configuration if I need to show separate certificates for different domains.

It would be nice if I could, in my original setup with the single „dummy“ SSL virtual host, multiple certificates (or even a whole directory), and have apache select the right certificiate by matching the SNI data against the CN and SAN entries of the ceritificate, showing the client the first one that matches.

After the SSL handshake, virtual host selection would work as before, i.e. based on the ServerName attribute.

This would entangle virtual host configuration and SSL configuration, which I think is a good thing in many use cases.
Comment 1 Joachim Breitner 2013-01-08 10:02:00 UTC
A suggested change would be to have, in addition to SSLCertificateFile, a SSLSNICertificateFile directive that can be used multiple times. mod_ssl will then first go through all certificates mentioned in SSLSNICertificateFile and use the first one with a matching name. If none matches, SSLCertificateFile is used. 

It seems to me that this would be a non-intrusive local change.