The gnutls and gcrypt packages were updated for Ubuntu 8.04, but they are still not right for mod_gnutls.
Normally having multiple virtual hosts on Apache with HTTPS is not possible. HTTPS is short for HTTP/SSL which means HTTP encapsulated by SSL (Secure Socket Layer). This means the HTTP traffic sent to the Apache webserver is encrypted using SSL.
The VirtualHost definitions in the Apache configuration are used to specify the SSL options. To know what VirtualHost Apache should use, Apache sneak previews the HTTP header to look for the “HOST” field. With HTTPS the HTTP header can only be previewed after the SSL connection has been established, so technically Apache cannot know what VirtualHost definition to use to set up the SSL connection.
Apache could use the correct SSL options if it knew what VirtualHost definition it should use and luckily that is possible. SSL supports several encryption protocols, the newest being TLS (Transport Layer Security). Technically this is a replacement for SSL and would result in HTTP/TLS instead of HTTP/SSL. TLS has a feature called SNI (Server Name Indication) which is the equivalent of HTTP’s “HOST” field.
There are a few problems with SNI though.The standard SSL/TLS module that comes with Apache is mod_ssl, which is based on OpenSSL. Unfortunately OpenSSL does not support SNI in it’s TLS implementation yet. It has been added to OpenSSL 0.99 and backported to 0.98, but mod_ssl doesn’t support it. GnuTLS is an alternative to OpenSSL and it does support the SNI feature in TLS. A GnuTLS based module for Apache is mod_gnutls, but this is not available as a Ubuntu binary. Internet Explorer 7 only supports SNI on Windows Vista, thus causing the same problem as SSL on Windows XP.
Read more…
Just a small heads-up about what I’ve been up to…
My old server got hacked, so I had do finish the installation of critical services on my new server. To manage virtual domains I had installed WebMin with VirtualMin on it, but somehow it refused to work for e-mail. Not feeling much for reinstalling VirtualMin I searched for an alternative to manage the e-mail services. I’m now quite happy VirtualMin bugged because now I came across Zimbra. Zimbra is currently running on my new server and it’s just brilliant. The only shame is that it only supports Ubuntu 8.04 LTS and won’t support any other Ubuntu’s until Ubuntu 10 LTS. Installing Zimbra itself is quite easy so I will not be blogging about that, what I will be blogging about is what I did to make it more secure… I added mod_gnutls to my apache to benefit from it’s support for SNI which allows Virtual Hosting of HTTPS domains. With mod_gnutls with my own Root CA, server CA and P12 nobody but me can access the web interface of my Zimbra and with mod_ssl set up as a proxy, my apache provides an easy and secure bridge between Zimbra and the Internet. If this sounds interesting, keep your eye on my blog…
I’ve been planning on creating my own theme for this blog, but as usual work and other tasks mess up my priorities. Never the less, I did get a chance to pratice my theme making skills by creating a Wordpress MU theme at work for internal blogging. This brought me back on track with CSS and JavaScript again. What I started wondering is, is there any support for Continuous Integration with JavaScript. And is there automated Code Revision/Quality Assurance for JavaScript? Turns out there are possibilities… JavaScript Code Review is quite easy with JSLint, there are java ports and there’s Rhino, so getting it into a CI system like Hudson should be quite straight forward. There’s also JSUnit which allows Unit Testing of JavaScript. I’ll be experimenting with JSLint in Rhino and Hudson, but also in PHP! Recently the Mozilla JavaScript engine became available as an extension for PHP, so I’m curious about running JSLint and JSUnit in that.
These are just 2 very exciting topics I’m playing with at the moment, so stay tuned!
