| Author |
|
flatcircle
Joined: 27 Jun 2006
Posts: 79
|
 Posted: Fri 07 May '10 19:09 Post subject: Apache WITH SNI (Server Name Indication) binaries |
 |
|
Hello
I wondered if you plan to release the 'SNI' version of Apache as well.
Regards.
FC. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Sat 08 May '10 16:35 Post subject: |
|
|
| On apachehaus you can find apache with SNI support. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sat 08 May '10 19:57 Post subject: |
|
|
| I thought Apache Lounge binaries came with SNI since it is on by default when you build OpenSSL, unless you explicitly disable it. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Sat 08 May '10 21:40 Post subject: |
|
|
@Gregg: Thanks for the hint I forgot that  |
|
| Back to top |
|
flatcircle
Joined: 27 Jun 2006
Posts: 79
|
| Posted: Mon 10 May '10 9:29 Post subject: |
|
|
| This means the binaries from Apachelounge are SNI capable as well? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 10 May '10 19:09 Post subject: |
|
|
| Yes it does. |
|
| Back to top |
|
holziusa
Joined: 02 Jan 2008
Posts: 48
|
| Posted: Sat 07 Apr '12 16:22 Post subject: Apache 2.4.2x64 |
|
|
can i assume sni is on in the apachelounge build
how would i test to see if it is turned on |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sun 08 Apr '12 2:21 Post subject: |
|
|
configure more than one SLL/443 virtual host and try going to the second.
I know you downloaded an Apache Haus set of binaries to try crypto ... there's a conf/extra/httpd-sni.conf file in there, have a look at it .. it should give you the idea. Even has 3 test cert pairs (the one, server.crt/key expired in Nov. tho ... oops), you would just have to add the *.tld hostnames to your Windows hosts file to test with them and that config. |
|
| Back to top |
|
holziusa
Joined: 02 Jan 2008
Posts: 48
|
| Posted: Sun 08 Apr '12 9:08 Post subject: sni.conf |
|
|
i got your sni file, thanks
added vhost tested ssl build,confirmed per here:
"http://wiki.apache.org/httpdNameBasedSSLVHostsWithSNI"
which answered my former question
do i merge my sni.conf with ssl.conf, i tested the sni.conf but it uses the build from the 1st/default vhost.
i have builds for each vhost , seperate name ,folder etc
what reference is made in the http.conf to use sni.conv
thanks in advance |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Sun 08 Apr '12 9:48 Post subject: |
|
|
It is just an example for our binaries to guide our users in using SNI.
If you modified ours for your stuff, you can either copy it's contents to your current ssl conf file or just include it in.
Include conf/extra/httpd-sni.conf
in httpd.conf under the Include to the standard httpd-ssl.conf file.
I will mention that I've revamped that file for 2.4.2, using a stronger SSLCipherSuite since the old way is prone to the BEAST attack. There was not much reaon to change it till now, since OpenSSL 1.0.1 is TLS/1.1 & 1.2 capable where 0.9.8 & 1.0.0 were not.
what's been added is at the top between the Listen 443 and SSLPassPhraseDialog
https://www.apachehaus.net/misc/httpd-sni.conf.txt |
|
| Back to top |
|
holziusa
Joined: 02 Jan 2008
Posts: 48
|
| Posted: Sun 08 Apr '12 15:38 Post subject: SSLPassPhraseDialog |
|
|
thanks 4 clearing it up
i successfully tested on Firefox 11.0
loving new "SSLPassPhraseDialog"
fyi: 1st/default vhost must add weaker cypher (TLSv1)ref "http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI" because of this SSLCipherSuite, etc should be within your vhost
still getting same error on self-signed but
also found free ssl provider look 4 new thread |
|
| Back to top |
|
