Apache/GnuTLS: can’t get multiple TLS-enabled virtual hosts to work


A while ago, I set up an SSL certificate authority for our intranet, generated a bunch of certificates and ran a number of sites with them, all on the same physical host with one single Apache2 installation; one root certificate and one certificate for each virtual host. I added the root certificate to the client machines and everything was fine (i.e. all communication was protected).

Now I am trying to switch from mod_ssl to mod_gnutls. Changes to the Apache2 configuration were simple:

  • disable the SSL module: a2dismod ssl
  • enable the GnuTLS module: a2enmod gnutls
  • add a new section to /etc/apache2/ports.conf with the same contents as the SSL section:

    <IfModule mod_gnutls.c>
      NameVirtualHost *:443
      Listen 443
  • change per-site configurations in e.g. /etc/apache2/sites-available/site1.domain-ssl:

    <IfModule mod_gnutls.c> 
      <VirtualHost *:443>
        ServerAdmin  webmaster@site1.domain
        ServerName   site1.domain
        DocumentRoot /var/www/site1.domain_ssl/public_html/
        ErrorLog     /var/www/site1.domain_ssl/logs/error.log
        CustomLog    /var/www/site1.domain_ssl/logs/access.log combined
        LogLevel     debug
        # <Directory ... > settings omitted
        # old SSL configuration:
        # SSLEngine on
        # SSLCertificateFile    /etc/ssl/certs/site1.cert.pem
        # SSLCertificateKeyFile /etc/ssl/private/site1.key.pem
        # new TLS configuration
        GnuTLSEnable on
        GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
        GnuTLSCertificateFile /etc/ssl/certs/site1.domain.cert
        GnuTLSKeyFile         /etc/ssl/private/site1.domain.key

I re-created the cetificate authority root certificate from scratch, created new per-site certificates and re-deployed them. (I used to use .pem file suffix with SSL, but dropped that when switching to GnuTLS).

The problem is now that I can not access any virtual hosts.

When I try to connect to the physical host, everything seems fine:

user@host:~$ gnutls-cli-debug host
Resolving 'host'...
Connecting to ''...
Checking for SSL 3.0 support... yes
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
  ... (etc.) ...

and when I connect using gnutls-cli --x509cafile <my root cert file>, the root certificate is validated successfully.

However, when I try to connect to one of the virtual hosts, this happens:

user@host:~$ gnutls-cli-debug site1
Resolving 'site1'...
Connecting to ''...
Checking for SSL 3.0 support...|<1>| Received record packet of unknown type 60
Checking whether %COMPAT is required...|<1>| Received record packet of unknown type 60
Checking for TLS 1.0 support...|<1>| Received record packet of unknown type 60
Checking for TLS 1.1 support...|<1>| Received record packet of unknown type 60
  ... (etc.) ...

and I get error message like these in the Apache log:

[Mon May 19 17:55:35 2014] [info] [client] GnuTLS: Handshake Failed (-21) 'Could not negotiate a supported cipher suite.'
[Mon May 19 17:55:35 2014] [info] (70014)End of file found: GnuTLS: Error reading data. (-9) 'A TLS packet with unexpected length was received.'
[Mon May 19 17:59:58 2014] [error] [client] Invalid method in request \x16\x03

Of course there are plenty of Google results about these errors, but despite spending pretty much the entire weekend searching, nothing conclusive has come up.

This is all taking place under a fresh installation of the latest Debian 7.5 i386 on a VM (which I've set up to find the error, the actual intranet server is a real machine), so Apache does support SNI:

user@host:~$ aptitude show apache2-mpm-worker | grep Version
Version: 2.2.22-13+deb7u1
user@host:~$ aptitude show libapache2-mod-gnutls | grep Version
Version: 0.5.10-1.1

The mod-gnutls page explicitely states that it supports Server Name Indication, but to me, it looks like this is simply not the case.

Can anyone help me ?

Best Answer

After several discussions with dkg in #mod_gnutls on irc.indymedia.org, it turned out that the default version 0.5.10-1.1 of mod-gnutls in the latest Debian 7.5 (package name libapache2-mod-gnutls) simply does not support SNI properly - quote from the chat:

quite a lot of bugs around SNI were fixed in the latest 0.6 version

AFAICT, version 0.6 is scheduled for Debian 8 (which will be released when it's finished ;-) and there don't seem to be any backports. One workaround is to build mod-gnutls and its dependency GnuTLS from the sources; some pointers to get started here and here.