bvstone

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Posted:

SSL, Server Name Identification (SNI) and the Powered by Apache HTTP IBM i Web Server

Recently I was interested in setting up a few of my websites to use Secure Sockets Layer.  Before this we used a Reverse Proxy to map requests coming into our firewall to the appropriate HTTP server instance because we only have one public IP mapped to multiple local IP addresses.

When it came time for SSL, though, things were more difficult.  This is because with normal SSL communications the SSL certificate negotiations are done before the Host HTTP header is sent, which means that if you have an HTTP configuration with multiple virtual hosts using separate and distinct SSL certificates, only the first SSL certificate will be used which, of course, is the wrong one when you're going to the second site in the configuration.  This means the browser will report an error saying that the SSL certificate belongs to the wrong site.

There are a couple ways around this issue.  The first would be to purchase an SSL certificate for multiple domains (note, this is not referring to wildcard certificates).  This was my last resort since it would mean purchasing a new certificate when I already had 2 separate SSL certificates for each site.  The next would be set up another public IP address.  This wasn't something I was interested in either.

The final method, and reason for this article, would be to use what is called Server Name Identification (SNI) which is now available with V7R2 and up.  A good write up about this in more detail with links to RFCs is located at https://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port.

SNI allows the host name to be sent during the initial SSL/TLS negotiations, which of course means that you can then use multiple virtual hosts using SSL.

But now with V7R2 the Powered by Apache HTTP server has been upgraded to version 2.4.  This means we have a couple new directives that allow us to get around this problem.  The main one we are interested in is SSLServerCert.  This directive allows us to tell the system which SSL certificate to use for each distinct host.  While this may seem similar to the SSLAppName directive, it is not.  The SSLAppName directive allows you to specify an application name which is associated with an SSL certificate.  The SSLServerCert directive you specify the certificate label as shown here:

Yes, it does seem redundant, doesn't it.  But oh well.  I also found the very limited documentation on this new feature very hard to understand... mainly because in dealing with SSL and application names I was more used to that then using the certificate label.

In the end, I set up my bvstools.com and fieldexit.com sites as shown here:

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName BVSTOOLS_SSL
   SSLServerCert "www.bvstools.com 2017"
   SSLEngine On
...
      
</VirtualHost>

<VirtualHost xx.xx.xx.xx:443>
   SSLAppName FIELDEXIT_SSL
   SSLServerCert www.fieldexit.com
   SSLEngine On
...
   
</VirtualHost>

As you can see, the certificate label for BVSTools contained a space, which means we need to put the label text in quotes (I would have called it something different if I knew I would be doing this in the future, but this works just fine as well!)  Also, instead of separate configuration files and separate server instances, both of the SSL sites needed to be placed into one configuration file.

So, another good reason to updated to V7R2 or higher is this nice new feature.  It only works on "modern" browsers, but if someone is using a browser this doesn't work on, they have other problems they need to take care of first.


Last edited 04/27/2017 at 10:45:22



Latest Posts:

Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application Why I Cancelled my DynDNS Service and How I Replaced It with an IBM i Application
Posted by 8 hours ago
IBM Power Systems >> (QGPL) IBM i
Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product) Green Tools for G Suite (G4G) Product Updates (Licensing, Functionality, Base Product)
Posted by July 13, 2019
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
Reading JSON Data from Standard Input With YAJL and RPG Reading JSON Data from Standard Input With YAJL and RPG
Posted by July 12, 2019
Programming >> Proof of Concept (POC)
MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications MAILTOOL Updated to Allow Use of IBM Global Security Kit (GSKIT) for SSL/TLS Communications
Posted by June 19, 2019
BVSTools >> BVSTools Announcements >> eMail Tool (MAILTOOL) Specific Announcements
GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI) GETURI v10.00 Released Supporting IBM Global Security Kit (GSKIT) and Server Name Indication (SNI)
Posted by June 11, 2019
BVSTools >> BVSTools Announcements >> Get URI (GETURI) Specific Announcements
BVSTools Now Offers Vertex Cloud Interface BVSTools Now Offers Vertex Cloud Interface
Posted by April 15, 2019
BVSTools >> BVSTools Announcements
Token Has an Invalid Signature Error for Office 365 Email Token Has an Invalid Signature Error for Office 365 Email
Posted by March 22, 2019
BVSTools >> BVSTools Software Discussion >> GreenTools for Microsoft Apps (G4MS) Specific Discussion
Resending Emails that have Errored Out with Updated Router or Authentication Information Resending Emails that have Errored Out with Updated Router or Authentication Information
Posted by March 1, 2019
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i BVSTools Offers Toolset to Work With HubSpot OAuth 2.0 APIs On Your IBM i
Posted by January 27, 2019
BVSTools >> BVSTools Announcements
G4MSDRV Currently Not Supported G4MSDRV Currently Not Supported
Posted by January 17, 2019
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
Removing Trailing Carriage Returns and/or Line Feeds from a String with RPG Removing Trailing Carriage Returns and/or Line Feeds from a String with RPG
Posted by December 26, 2018
Programming >> RPG Programming
Create QRCODE in DDS Create QRCODE in DDS
Posted by September 21, 2018
Programming >> RPG Programming
Base64 Encoding a File with RPG Base64 Encoding a File with RPG
Posted by September 6, 2018
Programming >> RPG Programming
Building JSON with RPG and YAJL and Writing to Standard Output Building JSON with RPG and YAJL and Writing to Standard Output
Posted by August 31, 2018
Programming >> Proof of Concept (POC)
How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE How to Delete Files or Empty Trash From Your Google Drive with your IBM i and RPG/ILE
Posted by July 24, 2018
BVSTools >> BVSTools Software Discussion >> GreenTools for G Suite (Google Apps) (G4G) Specific Discussion

Reply




Copyright 1983-2019 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).