Submitted by sgrayban on Mon, 12/26/2011 - 05:17
I was wondering if anything came of using the apache mod_gnutls ==> http://modgnutls.sourceforge.net to allow SSL to work on the same IP for different domains ?
This does seem to be stable as I tested it tonight on my own server and so far it works.
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Mon, 12/26/2011 - 15:09 Comment #1
So does this enable use of TLS / SNI to allow the browser to specify the domain name before SSL negotiation starts? I think there's already another core Apache module that supports this, but because not all browsers can handle SNI its use in real websites is limited ..
Submitted by sgrayban on Mon, 12/26/2011 - 15:52 Comment #2
Yep it follows the RFC for it... http://modgnutls.sourceforge.net/?p=feats
http://modgnutls.sourceforge.net/downloads/docs/mod_gnutls_manual-0.1.html
SNI is supported with the following which is nearly what everyone is using these days even cell phone browsers can do SNI if they are using a supported browser.
Opera 8.0; MSIE 7.0 (but only on Windows Vista or higher); Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1; Safari 3.2.1 (Windows version supports SNI on Vista or higher); Chrome (Windows version supports SNI on Vista or higher, too).
Submitted by sgrayban on Mon, 12/26/2011 - 15:55 Comment #3
BTW you can test SNI support by connecting to this URL: https://sni.velox.ch/
Submitted by sgrayban on Mon, 12/26/2011 - 16:11 Comment #4
Just tested https://alice.sni.velox.ch/ on my Droid 2 cell phone and it works. I think its time to do some real testing here.
The only browser that does not and seems will not ever be SNI compatible is the default browsers for Andriod or other smart phones. They need to install opera or firefox to get SNI support.
Submitted by sgrayban on Mon, 12/26/2011 - 16:16 Comment #5
Oh and it seems you don't need this particular module... new versions of apache mod_ssl support SNI
See http://en.wikipedia.org/wiki/Server_Name_Indication#Support for a list of all the servers/browsers that are supported and also scroll down and see what isn't supported on the same page.
It's really a small window of non-SNI support and I am sure that blackberry will support SNI in the near future seeing that SNI is going mainstream in the next 1-2 years.
Submitted by JamieCameron on Mon, 12/26/2011 - 19:55 Comment #6
So virtualmin will let you run multiple SSL sites on the same IP already - and if it detects sni support in Apache, will change the warning message that appears in this case. Using sni is more of an administrator's decision than anything which needs configuring by virtualmin.
Sadly there are still heaps of ie 6 and windows xp users out there, so I'm not sure I would recommend it.
Submitted by helpmin on Mon, 12/26/2011 - 20:06 Comment #7
I actually installed mod_gnutls (had to on Centos 5), but it took a lot of cpu, I believe. mod_ssl on Centos 6 seems to work much better.
Android 2.x browsers (virtually all Android phones as of today) do not work with SNI either (but you can still connect to your site - like with a self signed certificate).
Submitted by sgrayban on Tue, 12/27/2011 - 02:06 Comment #8
People using old browsers that aren't updated anymore is neither mine or yours problem. M$ has been trying to push people to upgrade to IE7 for years.
I already mentioned that the native browsers for Android 2.x do not work. FF and Opera both have mobile versions they can install that does use the SNI TLS
Submitted by helpmin on Tue, 12/27/2011 - 02:33 Comment #9
Yes, you mentioned Android. I just added the version number 2.x. SNI works on 3.x and higher.
Submitted by JamieCameron on Tue, 12/27/2011 - 11:34 Comment #10
Scott - what changes would you like to see in Virtualmin to improve SNI support? Perhaps a config setting to turn off the warning about SSL certificate clashes completely?
Submitted by sgrayban on Tue, 12/27/2011 - 12:20 Comment #11
During initial setup I would like to see a screen come up saying VM has detected SNI support and offer to suppress the warnings.
And in the template under Apache settings it should be listed there as well with the option to disable the warnings.
Submitted by JamieCameron on Tue, 12/27/2011 - 15:28 Comment #12
Ok, this will be in the next Virtualmin release.
Submitted by Issues on Tue, 01/10/2012 - 15:45 Comment #13
Automatically closed -- issue fixed for 2 weeks with no activity.