Updated
Introduction
Normally having multiple virtual hosts on Apache with HTTPS is not possible. HTTPS is short for HTTP/SSL which means HTTP encapsulated by SSL (Secure Socket Layer). This means the HTTP traffic sent to the Apache webserver is encrypted using SSL.
The VirtualHost definitions in the Apache configuration are used to specify the SSL options. To know what VirtualHost Apache should use, Apache sneak previews the HTTP header to look for the “HOST” field. With HTTPS the HTTP header can only be previewed after the SSL connection has been established, so technically Apache cannot know what VirtualHost definition to use to set up the SSL connection.
Apache could use the correct SSL options if it knew what VirtualHost definition it should use and luckily that is possible. SSL supports several encryption protocols, the newest being TLS (Transport Layer Security). Technically this is a replacement for SSL and would result in HTTP/TLS instead of HTTP/SSL. TLS has a feature called SNI (Server Name Indication) which is the equivalent of HTTP’s “HOST” field.
There are a few problems with SNI though.The standard SSL/TLS module that comes with Apache is mod_ssl, which is based on OpenSSL. Unfortunately OpenSSL does not support SNI in it’s TLS implementation yet. It has been added to OpenSSL 0.99 and backported to 0.98, but mod_ssl doesn’t support it. GnuTLS is an alternative to OpenSSL and it does support the SNI feature in TLS. A GnuTLS based module for Apache is mod_gnutls, but this is not available as a Ubuntu binary. Internet Explorer 7 only supports SNI on Windows Vista, thus causing the same problem as SSL on Windows XP.
Adding mod_gnutls to Apache
There is no package for mod_gnutls available for Ubuntu so it has to be built from source. mod_gnutls has a few prerequisites that make it tricky to build on Ubuntu:
- GnuTLS (>= 2.4.0)
- libgcrypt (>= 1.4.0)
- libtasn1 (included in GnuTLS source package)
- libgpgerror (>= 1.4.0)
The libgcrypt version available for Ubuntu 8.04 is 1.4.1, but unfortunately that doesn’t seem to work. that means we’ll need to build libgcrypt from source too. The standard libgcrypt11 and libgcrypt11-dev packages are hard to remove and the lib-gpgerror that comes with it is fine, so you might want to leave the old libgcrypt in place and just overwrite them. (The standard libgcrypt is installed in /lib)
~% mkdir gnutls
~% cd gnutls
~/gnutls% sudo apt-get install libgcrypt11 libgcrypt-dev
~/gnutls% sudo rm /lib/libgcrypt*
~/gnutls% wget "ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.4.tar.gz"
~/gnutls% tar -xvzf libgcrypt-1.4.4.tar.gz
~/gnutls% cd libgcrypt-1.4.4
~/gnutls/libgcrypt-1.4.4% ./configure --prefix=/usr
~/gnutls/libgcrypt-1.4.4% make
~/gnutls/libgcrypt-1.4.4% sudo make install
~/gnutls/libgcrypt-1.4.4% sudo ldconfig
~/gnutls/libgcrypt-1.4.4% cd ..
~/gnutls% rm -Rf libgcrypt-1.4.4
It should be no problem to build GnuTLS now.
~/gnutls% wget "ftp://ftp.gnupg.org/gcrypt/gnutls/gnutls-2.8.1.tar.bz2"
~/gnutls% tar -xvjf gnutls-2.8.1
~/gnutls% cd gnutls-2.8.1
~/gnutls/gnutls-2.8.1% ./configure --prefix=/usr
~/gnutls/gnutls-2.8.1% make
~/gnutls/gnutls-2.8.1% sudo make install
~/gnutls/gnutls-2.8.1% sudo ldconfig
~/gnutls/gnutls-2.8.1% cd ..
~/gnutls% rm -Rf gnutls-2.8.1
With all the prerequisites in place it’s time to build mod_gnutls. The configure probably will not be able to find Apache’s apxs2, so find that first.
~/gnutls% which apxs2
/usr/bin/apxs2
~/gnutls% wget "http://www.outoforder.cc/downloads/mod_gnutls/mod_gnutls-0.5.5.tar.bz2"
~/gnutls% tar -xvjf mod_gnutls-0.5.5.tar.bz2
~/gnutls% cd mod_gnutls-0.5.5
~/gnutls/mod_gnutls-0.5.5% ./configure --prefix=/usr --with-apxs=/usr/bin/apxs2
~/gnutls/mod_gnutls-0.5.5% make
~/gnutls/mod_gnutls-0.5.5% sudo make install
~/gnutls/mod_gnutls-0.5.5% cd ..
~/gnutls% rm -Rf mod_gnutls-0.5.5
Depending on your Apache configuration practice, the module might be loaded differently. Here’s my way.
LoadModule gnutls_module /usr/lib/apache2/modules/mod_gnutls.so
GnuTLSCache dbm /var/cache/apache2/gnutls_cache
~/gnutls% cd /etc/apache2/mods-enabled
/etc/apache2/mods-enabled% sudo ln -s ../mods-available/gnutls.load
/etc/apache2/mods-enabled% sudo ln -s ../mods-available/gnutls.conf
/etc/apache2/mods-enabled% sudo touch /var/cache/apache2/gnutls_cache
/etc/apache2/mods-enabled% sudo chown www-data:www-data /var/cache/apache2/gnutls_cache
That should be it, your mod_gnutls should be functional after restarting Apache.
Creating certificates for GnuTLS
Creating certificates is quite easy, as explained in the articles below. For GnuTLS to accept the certificates however, no MD5 may be used since it’s considered unsecure. Using SHA256 or SHA512 instead is much more secure. The examples below use OpenSSL, but
...
[ CA_default ]
...
default_md = sha256
...
Setting up OpenSSL to Create Certificates
Setting up SSL Certificates on Apache
Creating PKCS12 Certificates
Creating name based Virtual Hosts with HTTPS
With mod_gnutls in place and the certificates ready name based Virtual Hosts can be added to Apache.
<VirtualHost *:443>
ServerAdmin admin@example.org
ServerName vhost1.example.org:443
DocumentRoot /var/vhosts/vhost1.example.org/public_html
# Configure TLS
GnuTLSEnable On
GnuTLSPriorities NORMAL
GnuTLSCertificateFile /var/vhosts/vhost1.example.org/ssl.crt/vhost1.example.org-cert.pem
GnuTLSKeyFile /var/vhosts/vhost1.example.org/ssl.key/vhost1.example.org-key.pem
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin@example.org
ServerName vhost2.example.org:443
DocumentRoot /var/vhosts/vhost2.example.org/public_html
# Configure TLS
GnuTLSEnable On
GnuTLSPriorities NORMAL
GnuTLSCertificateFile /var/vhosts/vhost2.example.org/ssl.crt/vhost2.example.org-cert.pem
GnuTLSKeyFile /var/vhosts/vhost2.example.org/ssl.key/vhost2.example.org-key.pem
</VirtualHost>
Access vhost1.example.ogr and vhost2.example.org and examine the certificates, unless you used the same certificate files, they should be different.
Conclusion
Until OpenSSL and mod_ssl start supporting TLS’ SNI and everyone stops using IE7 (please do!), or until mod_gnutls becomes available for Ubuntu through apt, this procedure should keep your Virtual Hosts secure.
Hi
Great work, however some problems: libgcrypt-dev requires in my ubuntu server 8.04 to be libgcrypt11-dev, apxs was to be installed. Then I got stuck with the message: libgnutls was not found.
Any idea.
Thanks so much.
al
Like i wrote, libgcrypt11 doesn’t work. You need to compile the latest from source and overwrite the libgcrypt11 files in /lib.
Did you then compile GnuTLS from source?
I must admit, I tried to closely follow the above steps, and the listing blocks for libgcrypt-1.4.4 and gnutls-2.8.1 did work. However in the third listing, at the following line:
~/gnutls/mod_gnutls-0.5.5% ./configure –prefix=/usr –with-apxs=/usr/bin/apxs2
produced this error
…configure: error:
libgnutls was not found. You may want to get it from…
i tried to remove the error, but it didn’t work until now
@al Ok, seems the gnutls went wrong or ldconfig is out of sync.
What does this show:
% ldconfig -p | grep "libgnutls"You can also try running mod_gnutls’ configure like this:
% ./configure --prefix=/usr --with-apxs=/usr/bin/apxs2 --with-libgnutls-prefix=/usrBut if I remember correct, it ignores the “
--with-libgnutls-prefix” although it’s mentioned in the “./configure --help“…Hi,
I have had the same error as al.
I solved it with the “–with-libgnutls-prefix”
but I also had to install pkg-config:
sudo apt-get install pkg-config
I had the same “libgnutls was not found. You may want to get it from…” error. I was able to solve it by installing pkg-config (sudo apt-get install pkg-config) as olli suggested. I did not, however, need the –with-libgnutls-prefix option.
I almost forgot, I also had to install g++ (sudo apt-get install g++) before I could compile libgcrypt.
Thanks for this post, trying to get this working under native Ubuntu 8.04. Everything seems to work ok for me, except that when I configure seperate self signed certificates for both vhosts when I connect to them my browser shows the same certificate is being used for vhost1 and vhost2.