bvstone

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Posted:

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Recently I was interested in setting up a few of my websites to use Secure Sockets Layer.  Before this we used a Reverse Proxy to map requests coming into our firewall to the appropriate HTTP server instance because we only have one public IP mapped to multiple local IP addresses.

When it came time for SSL, though, things were more difficult.  This is because with normal SSL communications the SSL certificate negotiations are done before the Host HTTP header is sent, which means that if you have an HTTP configuration with multiple virtual hosts using separate and distinct SSL certificates, only the first SSL certificate will be used which, of course, is the wrong one when you're going to the second site in the configuration.  This means the browser will report an error saying that the SSL certificate belongs to the wrong site.

There are a couple ways around this issue.  The first would be to purchase an SSL certificate for multiple domains (note, this is not referring to wildcard certificates).  This was my last resort since it would mean purchasing a new certificate when I already had 2 separate SSL certificates for each site.  The next would be set up another public IP address.  This wasn't something I was interested in either.

The final method, and reason for this article, would be to use what is called Server Name Identification (SNI) which is now available with V7R2 and up.  A good write up about this in more detail with links to RFCs is located at https://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port.

SNI allows the host name to be sent during the initial SSL/TLS negotiations, which of course means that you can then use multiple virtual hosts using SSL.

But now with V7R2 the Powered by Apache HTTP server has been upgraded to version 2.4.  This means we have a couple new directives that allow us to get around this problem.  The main one we are interested in is SSLServerCert.  This directive allows us to tell the system which SSL certificate to use for each distinct host.  While this may seem similar to the SSLAppName directive, it is not.  The SSLAppName directive allows you to specify an application name which is associated with an SSL certificate.  The SSLServerCert directive you specify the certificate label as shown here:

Yes, it does seem redundant, doesn't it.  But oh well.  I also found the very limited documentation on this new feature very hard to understand... mainly because in dealing with SSL and application names I was more used to that then using the certificate label.

In the end, I set up my bvstools.com and fieldexit.com sites as shown here:

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName BVSTOOLS_SSL
   SSLServerCert "www.bvstools.com 2017"
   SSLEngine On
...
      
</VirtualHost>

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName FIELDEXIT_SSL
   SSLServerCert www.fieldexit.com
   SSLEngine On
...
   
</VirtualHost>

As you can see, the certificate label for BVSTools contained a space, which means we need to put the label text in quotes (I would have called it something different if I knew I would be doing this in the future, but this works just fine as well!)  Also, instead of separate configuration files and separate server instances, both of the SSL sites needed to be placed into one configuration file.

So, another good reason to updated to V7R2 or higher is this nice new feature.  It only works on "modern" browsers, but if someone is using a browser this doesn't work on, they have other problems they need to take care of first.


Last edited 04/27/2017 at 10:45:22



Latest Posts:

Update for Google WorkSpace Accounts (2024): Google Dropping Support for Update for Google WorkSpace Accounts (2024): Google Dropping Support for "Less Secure Apps" May 30th, 2022. What Does This Mean for Your IBM i Email?
Posted by January 19, 2024
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sales By State Report in QuickBooks Online Sales By State Report in QuickBooks Online
Posted by January 13, 2024
QuickBooks >> QuickBooks Online
How to Whitelist GreenTools for G Suite (G4G) For Your Organization How to Whitelist GreenTools for G Suite (G4G) For Your Organization
Posted by November 5, 2023
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion
QuickBooks Online Releases QuickBooks Online Releases "New Invoices!"... and It's Terrible!
Posted by October 8, 2023
QuickBooks >> QuickBooks Online
Admin/4i - What is it? Admin/4i - What is it?
Posted by September 30, 2023
Vendor Corner >> MSD Information Technology
BVSTools Releases Send Job Log to BVSTools (SNDLOG2BVS) Command BVSTools Releases Send Job Log to BVSTools (SNDLOG2BVS) Command
Posted by August 28, 2023
BVSTools >> BVSTools Announcements
MAILTOOL Now Allows Email Redirection for Development and Testing MAILTOOL Now Allows Email Redirection for Development and Testing
Posted by May 27, 2023
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
GreenTools for Microsoft Apps (G4MS) Now Supports Footers When Sending Email GreenTools for Microsoft Apps (G4MS) Now Supports Footers When Sending Email
Posted by March 29, 2023
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
QuickBooks Online - Subtotals and Discounts Frustration QuickBooks Online - Subtotals and Discounts Frustration
Posted by March 16, 2023
QuickBooks >> QuickBooks Online
Making the Switch From QuickBooks Desktop to QuickBooks Online - No Picnic Making the Switch From QuickBooks Desktop to QuickBooks Online - No Picnic
Posted by March 16, 2023
QuickBooks >> QuickBooks Online
BVSTools Software Verified on V7R5 and Power10 BVSTools Software Verified on V7R5 and Power10
Posted by December 9, 2022
BVSTools >> BVSTools Announcements
Microsoft Office 365 Servers and Random Errors Issue Microsoft Office 365 Servers and Random Errors Issue
Posted by November 14, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sending/Resending Emails Using a MIME File with MAILTOOL Sending/Resending Emails Using a MIME File with MAILTOOL
Posted by November 8, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sending an HTML Email on Your IBM i Using MAILTOOL Sending an HTML Email on Your IBM i Using MAILTOOL
Posted by November 1, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Transferring License Keys from One System to Another Transferring License Keys from One System to Another
Posted by October 31, 2022
BVSTools >> BVSTools Software Discussion

Reply




Copyright 1983-2020 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).