Virtual Hosting, SSL and SNI

A small piece of crypto news.

Since HTTP 1.1, the technique of “virtual hosting” – having multiple websites on the same IP address – has been extremely widespread. This is done by sending a “Host:” header in the initial HTTP connect, which tells the server which site you want.

However, it’s not possible to do the same trick with SSL, because at the time you create the SSL connection, the HTTP exchange has not happened, so the webserver doesn’t know which certificate to send. The fix is SNI (server name indication), as defined in RFC 3546, a way of putting the host info in the SSL handshake.

SNI is supported in Firefox 2, IE 7 on Vista, Opera 7.6+ and other modern browsers. For Apache, mod_gnutls supports it, but not mod_ssl (OpenSSL). I’m not sure about IIS.

Now the news: Steven Henson recently backported the SNI support in OpenSSL 0.9.9-dev to 0.9.8 (the stable version). This should speed up the day when SNI support is available in stable releases of Apache. Sadly, it’ll probably still be a while before it can be used on the public web, because the SSL improvements for IE 7 are only provided on Vista. :-(

7 thoughts on “Virtual Hosting, SSL and SNI

  1. Interesting that you should post this – I was just talking to my host about the same thing. Unfortunately it seems like we’re still running Apache 1.3 which doesn’t support this (need 2.x?), and also there was the unspoken implication that there’s an income stream from selling static IPs to people who need SSL…

  2. I’m not sure that migration to Vista would necessarily be more of a hold-up for use on the public web than migration to Apache 2. Of the 3 web hosts I’m using for work/personal hosting, 2 of them are still on Apache 1.3. Apache 2 seems to have been released in 2002, so if SNI hasn’t yet made it into new stable releases, it could be a while before there are servers that support it without someone making an effort…

  3. Right. But there’s a difference between server and client.

    If not all servers support it, that’s no big deal. The servers which do support it can use it. But if not all clients support it, no-one can use it.

  4. It is already possible to have multiple SSL virtual hosts through the X.509 subjectAltName extension. Support for this is more widespread than for server name indication, and no modification to Apache is necessary.

    It however requires CA support, and that there is only one CA for all virtual hosts. So it may not be suitable for all purposes.

  5. I think we’ll have moved to IPv6 before this becomes common place.

    The business end doesn’t make much sense. Typically an IP comes at a lower cost ($1-$2/mo) to add on to a typical hosting account than an SSL cert costs. As a result, anyone who is using SSL is likely to be able to afford an static IP for their account and can attract 100% of their audience rather than 99% (assuming it gets to that point). What’s the total savings or business advantage? Not much if anything.

    EV SSL has an advantage of marketing, so there’s potential for it’s real world adoption. SSL without an IP address is purely tech with no end user benefit. As a result if it doesn’t make financial sense for all parties involved, what’s the purpose from their point of view?

    I could be wrong, but I don’t see this being widely adopted.

  6. Robert: but what if we wanted every website that had a login box of some sort to use SSL?

    Also, I see prices of between $5 and $15 a month for static IPs in a quick Google search. Whereas certs are free, or $15-$20 a year for Domain-Validation-only certs.

  7. Multiple Apache VHosts on the same IP and port

    I just learned yesterday again, what I knew a few years ago, but since had forgotten:

    You cannot put multiple SSL-enabled virtual Apache hosts onto the same IP and port.

    Apache cannot identify which VirtualHost to serve a request from because the pa