apache and wildcard ssl

Today I had a client that wanted me to install a wildcard certificate on his new server. A small job, few minutes I said. Only that it was not really like that. The client had this situation. He had one domain foo.tld and the certificate was for *.foo.tld and a lot of subdomains bar.foo.tld apple.foo.tld and others like that. On each domain there was a different site and the client wanted each domain on to be available over SSL because he had a wildcard certificate for *.foo.com. But the problem was that he only had one ip on that server. From what I read in the apache documentation such thing would be impossible . It turns out it's not impossible if you have a wildcard certificate. The ssl FAQ specified two workarounds, #1 use different ports ( not really an option in most cases if you're thinking about serious web business ), and #2 use different ips for each vhost, this may be expensive, hard to get from some ISP, or hard to manage if you have hundreds of domains. I think there should be a line there saying that if you have a windcard ssl you will not need different ips or ports.

The whole problem exists because of the way that the SSL protocol is designed or at least HTTPS. From what I understand here is how apache and other web servers that implement HTTP/1.1 work: when a request comes in the web server looks at the Host: header. This header tells the web server the domain that the user is trying to access. Based on the value of the host header the web server will serve files from a certain domain. The HTTPS protocol is HTTP protocol sent over an encrypted connection (SSL), but in order to decrypt the data ( and actually get to the Host header ) the web server would have to know some information about the connection like the cipher suite, the server certificate, the private key, etc. The server does not know how to access that information because such information is specific to each domain and since it does not know the domain for which the connection was made it cannot access it. So the only solution is to use other way of identifying a virtual host like an ip address or tcp port.

One question comes in mind now: why was HTTPS not designed like we have STARTTLS in smtp where you can communicate with the server in plain smtp and if at some point you decide to go encrypted you just issue a STARTTLS command? that would have been extremely useful in HTTP, the browsers would have just sent the Host: header and then issue a STARTTLS and sent the rest of the data. It would have saved a lot of ip addresses that are used just for serving HTTPS sites.

2 thoughts on “apache and wildcard ssl

  1. From the post: “why was HTTPS not designed like we have STARTTLS in smtp where you can communicate with the server in plain smtp and if at some point you decide to go encrypted you just issue a STARTTLS command?”

    The https protocol predates TLS, which actually supports the STARTTLS command.

    There is now http + TLS which does this. Good ol’ port 443 does not support this though. This is from a time when one port was for encrypted data and a different port was used for unencrypted.

    Similar to the mail equivalent of port 465, which is now deprecated.

  2. I was just pointing out the design flaws in https. I guess the designers did not anticipate such widespread use of SSL. Like I wrote in my post TLS for HTTP there are two projects that implement TLS for HTTP. It seems SNI ( Server Name Indication ) is the one that is going to be accepted as standard, because more and more browsers support it. Here’s a tutorial about how to set up Apache with mod_gnutls ( that implements SNI ) ssl enabled name based apache virtual hosts with mod_gnutls

Leave a Reply