bvstone

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Posted:

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Recently I was interested in setting up a few of my websites to use Secure Sockets Layer.  Before this we used a Reverse Proxy to map requests coming into our firewall to the appropriate HTTP server instance because we only have one public IP mapped to multiple local IP addresses.

When it came time for SSL, though, things were more difficult.  This is because with normal SSL communications the SSL certificate negotiations are done before the Host HTTP header is sent, which means that if you have an HTTP configuration with multiple virtual hosts using separate and distinct SSL certificates, only the first SSL certificate will be used which, of course, is the wrong one when you're going to the second site in the configuration.  This means the browser will report an error saying that the SSL certificate belongs to the wrong site.

There are a couple ways around this issue.  The first would be to purchase an SSL certificate for multiple domains (note, this is not referring to wildcard certificates).  This was my last resort since it would mean purchasing a new certificate when I already had 2 separate SSL certificates for each site.  The next would be set up another public IP address.  This wasn't something I was interested in either.

The final method, and reason for this article, would be to use what is called Server Name Identification (SNI) which is now available with V7R2 and up.  A good write up about this in more detail with links to RFCs is located at https://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port.

SNI allows the host name to be sent during the initial SSL/TLS negotiations, which of course means that you can then use multiple virtual hosts using SSL.

But now with V7R2 the Powered by Apache HTTP server has been upgraded to version 2.4.  This means we have a couple new directives that allow us to get around this problem.  The main one we are interested in is SSLServerCert.  This directive allows us to tell the system which SSL certificate to use for each distinct host.  While this may seem similar to the SSLAppName directive, it is not.  The SSLAppName directive allows you to specify an application name which is associated with an SSL certificate.  The SSLServerCert directive you specify the certificate label as shown here:

Yes, it does seem redundant, doesn't it.  But oh well.  I also found the very limited documentation on this new feature very hard to understand... mainly because in dealing with SSL and application names I was more used to that then using the certificate label.

In the end, I set up my bvstools.com and fieldexit.com sites as shown here:

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName BVSTOOLS_SSL
   SSLServerCert "www.bvstools.com 2017"
   SSLEngine On
...
      
</VirtualHost>

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName FIELDEXIT_SSL
   SSLServerCert www.fieldexit.com
   SSLEngine On
...
   
</VirtualHost>

As you can see, the certificate label for BVSTools contained a space, which means we need to put the label text in quotes (I would have called it something different if I knew I would be doing this in the future, but this works just fine as well!)  Also, instead of separate configuration files and separate server instances, both of the SSL sites needed to be placed into one configuration file.

So, another good reason to updated to V7R2 or higher is this nice new feature.  It only works on "modern" browsers, but if someone is using a browser this doesn't work on, they have other problems they need to take care of first.


Last edited 04/27/2017 at 10:45:22



Latest Posts:

MAILTOOL Updated to Allow Failed Message on Invalid Recipient MAILTOOL Updated to Allow Failed Message on Invalid Recipient
Posted by May 20, 2018
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
Non HTTPS Callbacks Removed from GreenTools for G Suite (G4G) Non HTTPS Callbacks Removed from GreenTools for G Suite (G4G)
Posted by April 15, 2018
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
IBM i Related Survey Available IBM i Related Survey Available
Posted by April 7, 2018
IBM Power Systems >> (QGPL) IBM i
BVSTools Releases Braintree Webhook Open Source Application - Node.js BVSTools Releases Braintree Webhook Open Source Application - Node.js
Posted by April 5, 2018
Programming >> Open Source
BVSTools Now Offering Web Services (BETA) BVSTools Now Offering Web Services (BETA)
Posted by April 3, 2018
BVSTools >> BVSTools Announcements
Creating a Reverse SSL Proxy Using RPG on the IBM i - Part 2 Creating a Reverse SSL Proxy Using RPG on the IBM i - Part 2
Posted by March 29, 2018
Programming >> Web Programming
Still on V7R1 or Earlier?  Here's Why You Should Upgrade NOW! Still on V7R1 or Earlier? Here's Why You Should Upgrade NOW!
Posted by February 21, 2018
IBM Power Systems >> (QGPL) IBM i
Converting a MMDDYY date format to YYMMDD for Sorting Using SQL Converting a MMDDYY date format to YYMMDD for Sorting Using SQL
Posted by February 16, 2018
Programming >> RPG Programming
Moving All Files from a Google Drive Folder to the Trash Using GreenTools for Google Apps (G4G) Moving All Files from a Google Drive Folder to the Trash Using GreenTools for Google Apps (G4G)
Posted by February 3, 2018
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion
Removing Unwanted Characters from a String with RPG Removing Unwanted Characters from a String with RPG
Posted by February 2, 2018
Programming >> RPG Programming
GETURI Version 8.10 Released GETURI Version 8.10 Released
Posted by January 23, 2018
BVSTools >> BVSTools Announcements >> Get URI (GETURI) Specific Announcements
BVSTools is Now a Sponsor of ALLAS400S.com BVSTools is Now a Sponsor of ALLAS400S.com
Posted by January 17, 2018
BVSTools >> BVSTools Announcements
Service Pack SP171219 Released for G4PP v3.10 Service Pack SP171219 Released for G4PP v3.10
Posted by December 20, 2017
BVSTools >> BVSTools Announcements >> GreenTools for PayPal (G4PP) Specific Announcements
GETURI Now Requires Minimum OS of V7R1 or Higher GETURI Now Requires Minimum OS of V7R1 or Higher
Posted by December 12, 2017
BVSTools >> BVSTools Software Discussion >> Get URI (GETURI) Specific Discussion
Need Help Updating Your Software Versions?  We Can Help. Need Help Updating Your Software Versions? We Can Help.
Posted by December 8, 2017
BVSTools >> BVSTools Announcements

Reply




Copyright 1983-2018 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).