How to check apache for SNI (Server Name Indication ) availability

apache-2.4mod-sslopensslsnissl-certificate

I have a centos 7 server. I switched from apache 2.4.6 to apache 2.4.25 using IUS repository (https://ius.io/). My goal is to support multiple SSL certificates with a single IP.

I have installed:

  • Apache/2.4.25 (CentOS)
  • httpd24u-mod_ssl-2.4.25-3.ius.centos7.x86_64
  • openssl-1.0.1e-60.el7_3.1.x86_64

Is apache now SNI enabled?

Or do I have to build it from scratch with ./configure –with-ssl=/path/to/your/openssl as in documentation (https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI)?

Thank you for your time.

Best Answer

The stock CentOS httpd & mod_ssl packages would already have supported SNI. SNI has been supported by openssl since version 0.9.8f and any httpd since version 2.2.12 built with openssl 0.9.8f and newer automatically will support SNI.

But to check if your httpd and mod_ssl support SNI:

Simply test by configuring name based SSL/TLS virtual hosts and check your error log after restarting (from the apache httpd wiki you already linked to):

How can you tell if your Apache build supports SNI?

If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn't built into your Apache, then upon Apache startup a message like

"You should not use name-based virtual hosts in conjunction with SSL!!"

will occur in the error log.
If SNI is built in, then the error log will show

"[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)".

Alternatively use ldd to confirm that mod_ssl is linked against openssl's libssl and confirm the version:

ldd /usr/lib64/httpd/modules/mod_ssl.so
    linux-vdso.so.1 =>  (0x00007fff323f8000)
    libssl.so.10 => /lib64/libssl.so.10 (0x00007f3d99792000)        <=======
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3d993a8000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f3d9918b000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f3d98f87000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f3d98bc6000)
    libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f3d98977000)
    libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f3d98690000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f3d9848c000)
    libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f3d98259000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f3d98043000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f3d99c3d000)
    libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f3d97e34000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f3d97c2f000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3d97a15000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f3d977ed000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f3d9758c000)
rpm -qf /lib64/libssl.so.10
openssl-libs-1.0.1e-60.el7_3.1.x86_64
Related Topic