Apache and SNI – problems with some clients

Never change a running system. Old but true saying, but sometimes there’s no other chance. Until a few days ago I was happy with SSL vhosts running with a single SSL certificate. Then I needed to add another SSL certificate for another site with several subdomains like svn.site-A.de, trac.site-A.de and www.site-A.de. With Apache2 running on Squeeze it’s possible to make use of Server Name Indication (SNI) mechanism in order to be able to use multiple SSL certs on a single IP based vhost setup.

Well, it works for some client software, but apparently it does not work well with korganizer or Firefox Sync plugin nor with Cyberduck on OS X. Here’s an example config: 

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile  /etc/apache2/ssl/site-A-cert.pem
SSLCertificateKeyFile  /etc/apache2/ssl/site-A-key.pem
SSLOptions StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLVerifyClient none
SSLProxyEngine off

This is identical to all SSL vhosts on my system. The funny thing is now that it works for two sites (site A and site B) while it doesn’t work for site C. In Firefox Sync plugin I get an error that the connection couldn’t be established while on Cyberduck (a webdav client for OS X) I get a requester stating that I get cert for site A on site C. Pointing the browse to the appropriate URL I get the correct cert for site C on site C.

Is there anything I miss with SNI setup in Apache?

Uncategorized

4 thoughts on “Apache and SNI – problems with some clients

  1. Oh, SNI works with OpenSSL in
    Oh, SNI works with OpenSSL in squeeze? That’s news to me. I thought OpenSSL 1.0 added that feature…

    I’m using mod_gnutls since quite some time and it works quite well with most clients… Your WebDAV client might not support SNI at all. Subversion had much problems with SNI for a while…

    1. Yes, the “solution” might be
      Yes, the “solution” might be to somehow configure a “default” SSL cert or define the order of certs in a certain way. I’ve already tried to rename the config files to 01_siteC to zz_siteA, but still no success…

  2. I have tonybaldwin.me and
    I have tonybaldwin.me and free-haven.org both set up on a debian/squeeze server with apache/SNI.
    Iceweasel and most other browsers seem to find the proper cert for free-haven.org, but apparently diaspora sites do not (for federation purposes), and also the mobile browser on my android phone does not.
    So I’m trying to resolve the same issue, more or less.
    At this juncture I’m thinking I might just have to get an additional IP address from my host, since I’ve pretty well tried everything possible on the server, both SNI and gnutls, to make it work, and there are still issues.

    1. I think the problem is not
      I think the problem is not Apache & SNI, but Diaspora. When I set up my Diaspora pod I ran into the problem as well that other pods didn’t interconnect with my pod. The reason was a self-signed SSL cert. You really need a “good” cert from StartSSL or similar, because the pods connect to each other via secure connections. That has nothing to do with SNI in the first place, I think…

Comments are closed.