Saturday, May 12, 2018

ssl certificate - How to check apache for SNI (Server Name Indication ) availability?



I have a centos 7 server. I switched from apache 2.4.6 to apache 2.4.25 using IUS repository (https://ius.io/). My goal is to support multiple SSL certificates with a single IP.



I have installed:




  • Apache/2.4.25 (CentOS)

  • httpd24u-mod_ssl-2.4.25-3.ius.centos7.x86_64

  • openssl-1.0.1e-60.el7_3.1.x86_64




Is apache now SNI enabled?



Or do I have to build it from scratch with ./configure --with-ssl=/path/to/your/openssl as in documentation (https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI)?



Thank you for your time.


Answer



The stock CentOS httpd & mod_ssl packages would already have supported SNI. SNI has been supported by openssl since version 0.9.8f and any httpd since version 2.2.12 built with openssl 0.9.8f and newer automatically will support SNI.




But to check if your httpd and mod_ssl support SNI:



Simply test by configuring name based SSL/TLS virtual hosts and check your error log after restarting (from the apache httpd wiki you already linked to):






If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn't built into your Apache, then upon Apache startup a message like





"You should not use name-based virtual hosts in conjunction with SSL!!"




will occur in the error log.
If SNI is built in, then the error log will show




"[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)".






Alternatively use ldd to confirm that mod_ssl is linked against openssl's libssl and confirm the version:



ldd /usr/lib64/httpd/modules/mod_ssl.so
    linux-vdso.so.1 =>  (0x00007fff323f8000)
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f3d99792000)        <=======
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3d993a8000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3d9918b000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f3d98f87000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f3d98bc6000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f3d98977000)

    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f3d98690000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f3d9848c000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f3d98259000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f3d98043000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f3d99c3d000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f3d97e34000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f3d97c2f000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3d97a15000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f3d977ed000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f3d9758c000)

rpm -qf /lib64/libssl.so.10
openssl-libs-1.0.1e-60.el7_3.1.x86_64

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...