httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <>
Subject Re: [users@httpd] Name virtual hosts and HTTPS
Date Sat, 21 Nov 2009 17:01:20 GMT
On Sat, Nov 21, 2009 at 11:54 AM, Florent Georges <> wrote:
>  Hi,
>  I have one server one which I run two virtual hosts, say site1
> and site2.  They run very well for HTTP stuff for months.  Site1
> has also HTTPS access configured.  I am trying to add HTTPS
> support for site2 as well.  So I created a new SSL certificate,
> and added a new file in sites-available/:
>    > cat /etc/apache2/sites-available/site1-https
>    NameVirtualHost *:443
>    <VirtualHost *:443>
>        Servername
>        SSLEngine on
>        SSLCertificateFile site.crt
>        SSLCertificateKeyFile site1.key
>        DocumentRoot /var/site1/htsdocs/
>    </VirtualHost>
>    > cat /etc/apache2/sites-available/site2-https
>    NameVirtualHost *:443
>    <VirtualHost *:443>
>        Servername
>        SSLEngine on
>        SSLCertificateFile site2.crt
>        SSLCertificateKeyFile site2.key
>        DocumentRoot /var/site2/htsdocs/
>    </VirtualHost>
> and enabled the second HTTPS web site with a2ensite.
>  The problem is when I try to access site1 over HTTPS, it
> provides me the certificate for site2...
>  I double-checked the documentation with my very low Apache
> skills, but did not found anything about that problem.  Did I
> miss something?
>  Regards,
> --
> Florent Georges

Only the latest Apache (2.2.14) and OpenSSL built with the
tlsextensions options support this. It's case SNI (Server Name
Identification), where the client can send the fully qualified domain
name as part of the handshake process. Without this, the server has no
way knowing which vhost the client is looking for until the
certificate has already been presented (because the Host: HTTP request
header is part of the encrypted payload, which can't be sent until the
client has the cert), so it can't choose SSL options (including the
cert file) based on host name.

Also, not every client support SNI, unfortunately. I think most modern
browsers do, but notably MSIE before 7 or any version running on an OS
earlier than Vista do not (if I'm remembering correctly). Those
clients will always see the same cert no matter what name based vhost
they go to. It's a bummer, but a well known limitation of SSL.


Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message