bvstone

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Posted:

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Recently I was interested in setting up a few of my websites to use Secure Sockets Layer.  Before this we used a Reverse Proxy to map requests coming into our firewall to the appropriate HTTP server instance because we only have one public IP mapped to multiple local IP addresses.

When it came time for SSL, though, things were more difficult.  This is because with normal SSL communications the SSL certificate negotiations are done before the Host HTTP header is sent, which means that if you have an HTTP configuration with multiple virtual hosts using separate and distinct SSL certificates, only the first SSL certificate will be used which, of course, is the wrong one when you're going to the second site in the configuration.  This means the browser will report an error saying that the SSL certificate belongs to the wrong site.

There are a couple ways around this issue.  The first would be to purchase an SSL certificate for multiple domains (note, this is not referring to wildcard certificates).  This was my last resort since it would mean purchasing a new certificate when I already had 2 separate SSL certificates for each site.  The next would be set up another public IP address.  This wasn't something I was interested in either.

The final method, and reason for this article, would be to use what is called Server Name Identification (SNI) which is now available with V7R2 and up.  A good write up about this in more detail with links to RFCs is located at https://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port.

SNI allows the host name to be sent during the initial SSL/TLS negotiations, which of course means that you can then use multiple virtual hosts using SSL.

But now with V7R2 the Powered by Apache HTTP server has been upgraded to version 2.4.  This means we have a couple new directives that allow us to get around this problem.  The main one we are interested in is SSLServerCert.  This directive allows us to tell the system which SSL certificate to use for each distinct host.  While this may seem similar to the SSLAppName directive, it is not.  The SSLAppName directive allows you to specify an application name which is associated with an SSL certificate.  The SSLServerCert directive you specify the certificate label as shown here:

Yes, it does seem redundant, doesn't it.  But oh well.  I also found the very limited documentation on this new feature very hard to understand... mainly because in dealing with SSL and application names I was more used to that then using the certificate label.

In the end, I set up my bvstools.com and fieldexit.com sites as shown here:

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName BVSTOOLS_SSL
   SSLServerCert "www.bvstools.com 2017"
   SSLEngine On
...
      
</VirtualHost>

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName FIELDEXIT_SSL
   SSLServerCert www.fieldexit.com
   SSLEngine On
...
   
</VirtualHost>

As you can see, the certificate label for BVSTools contained a space, which means we need to put the label text in quotes (I would have called it something different if I knew I would be doing this in the future, but this works just fine as well!)  Also, instead of separate configuration files and separate server instances, both of the SSL sites needed to be placed into one configuration file.

So, another good reason to updated to V7R2 or higher is this nice new feature.  It only works on "modern" browsers, but if someone is using a browser this doesn't work on, they have other problems they need to take care of first.


Last edited 04/27/2017 at 10:45:22



Latest Posts:

GreenTools for G Suite (G4G) Now Includes Send Mail Functionality (G4GSMAIL Addon) GreenTools for G Suite (G4G) Now Includes Send Mail Functionality (G4GSMAIL Addon)
Posted by August 27, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
GreenTools For G Suite (G4G) v12.00 Released With Base OAuth 2.0 Functionality GreenTools For G Suite (G4G) v12.00 Released With Base OAuth 2.0 Functionality
Posted by July 28, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
BVSTools Small Price Increase in 2020 BVSTools Small Price Increase in 2020
Posted by July 26, 2019
BVSTools >> BVSTools Announcements
GreenTools for Vertex Cloud (VTXCLOUD) Now Available GreenTools for Vertex Cloud (VTXCLOUD) Now Available
Posted by July 22, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Vertex Cloud (VTXCLOUD) Specific Announcements
GreenTools for Google Apps (G4G) - Drive Addon Successfully Verified by Google GreenTools for Google Apps (G4G) - Drive Addon Successfully Verified by Google
Posted by July 22, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application
Posted by July 17, 2019
IBM Power Systems >> (QGPL) IBM i
Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product) Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product)
Posted by July 13, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Reading JSON Data from Standard Input With YAJL and RPG Reading JSON Data from Standard Input With YAJL and RPG
Posted by July 12, 2019
Programming >> Proof of Concept (POC)
MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications
Posted by June 19, 2019
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI) GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI)
Posted by June 11, 2019
BVSTools >> BVSTools Announcements >> Get URI (GETURI) Specific Announcements
BVSTools Now Offers Vertex Cloud Interface BVSTools Now Offers Vertex Cloud Interface
Posted by April 15, 2019
BVSTools >> BVSTools Announcements
Token Has an Invalid Signature Error for Office 365 Email Token Has an Invalid Signature Error for Office 365 Email
Posted by March 22, 2019
BVSTools >> BVSTools Software Discussion >> GreenTools for Microsoft Apps (G4MS) Specific Discussion
Resending Emails that have Errored Out with Updated Router or Authentication Information Resending Emails that have Errored Out with Updated Router or Authentication Information
Posted by March 1, 2019
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i
Posted by January 27, 2019
BVSTools >> BVSTools Announcements
G4MSDRV Currently Not Supported G4MSDRV Currently Not Supported
Posted by January 17, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements

Reply




Copyright 1983-2019 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).