Nginx – TLS/SSL – Does SNI Have a Limit on Number of Domains Running on Nginx

nginxsnissl

SNI (Server Name Indication) is an extension to the TLS/SSL protocol, allowing the webserver to serve multiple domains on the same IP, all with different SSL server certificates. SNI discovers the SSL certificate appropriate for the domain/URL they are asking for. Before SNI, all vhosts listening on the same IP & port had to be presented with the same SSL certificate.

Anyone know if there's a limit to the number of domains that I can have serving on the same IP?

With standard http, there is no limit. I just specify a different vhost for each domain, and the webserver matches the client's "Host:" header to the matching server_name or server_alias vhost. SNI works similarly, but matches SSL certificates and there could be hundreds on one IP. I wonder if anyone knows if SNI has a limit or performs slowly with hundreds of certificates on the same IP.

Best Answer

SNI is essentially the same as the Host header in HTTP. The main difference is that the Host header is only inside the HTTP request and thus can only be seen by the web server after the TLS handshake is already successfully finished. The SNI extension instead is send within the ClientHello, i.e. the initial message sent by the client inside the TLS handshake. The server then extracts the SNI extension from the TLS handshake to find the matching configuration (which includes the certificate) the same way as it extracts the value of the Host header to find the matching configuration.

Based on this there should be no qualitative difference and no additional limit with SNI vs Host header. But there will be some quantitative difference in that more memory will be needed with SNI compared to only Host header: additionally to the HTTP part of the configuration also the SSL part needs to be kept in memory, i.e. specifically the certificate, certificate chain and private key.

Related Solutions

SSL – Multiple SSL Domains on the Same IP Address and Port

For the most up-to-date information on Apache and SNI, including additional HTTP-Specific RFCs, please refer to the Apache Wiki

FYsI: "Multiple (different) SSL certificates on one IP" is brought to you by the magic of TLS Upgrading. It works with newer Apache servers (2.2.x) and reasonably recent browsers (don't know versions off the top of my head).

RFC 2817 (upgrading to TLS within HTTP/1.1) has the gory details, but basically it works for a lot of people (if not the majority).
You can reproduce the old funky behavior with openssl's s_client command (or any "old enough" browser) though.

Edit to add: apparently curl can show you what's happening here better than openssl:

SSLv3

mikeg@flexo% curl -v -v -v -3 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=wq8O9mhOSp9fY9JcmaJUrFNWWrANURzJ; C=CA; 
              O=staging.bossystem.org; OU=GT07932874;
              OU=See www.rapidssl.com/resources/cps (c)10;
              OU=Domain Control Validated - RapidSSL(R);
              CN=staging.bossystem.org
*    start date: 2010-02-03 18:53:53 GMT
*    expire date: 2011-02-06 13:21:08 GMT
* SSL: certificate subject name 'staging.bossystem.org'
       does not match target host name 'www.yummyskin.com'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'staging.bossystem.org'
does not match target host name 'www.yummyskin.com'

TLSv1

mikeg@flexo% curl -v -v -v -1 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: C=CA; O=www.yummyskin.com; OU=GT13670640;
              OU=See www.rapidssl.com/resources/cps (c)09;
              OU=Domain Control Validated - RapidSSL(R);
              CN=www.yummyskin.com
*    start date: 2009-04-24 15:48:15 GMT
*    expire date: 2010-04-25 15:48:15 GMT
*    common name: www.yummyskin.com (matched)
*    issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global eBusiness CA-1
*    SSL certificate verify ok.

Ssl – Separate SSL certificate selection from virtual host configuration in apache

There's no getting around the structure of virtual hosts that Apache needs to support this configuration; the <VirtualHost> blocks need to exist and need to contain the config directives to set up the listeners.

The best you can do is something like this..

<VirtualHost *:80>
  # Give this file the directives like ServerName and DocumentRoot that
  # are the same between 80 and 443:
  Include /etc/confdir/domain-a.conf
</VirtualHost>
<VirtualHost *:443>
  # Same file as above, so config will be "shared"
  Include /etc/confdir/domain-a.conf
  # SSL directives for this domain (SSLEngine, cert config) in this file:
  Include /etc/confdir/ssl/domain-a-ssl.conf
</VirtualHost>

Best Answer

Related Solutions

SSL – Multiple SSL Domains on the Same IP Address and Port

Ssl – Separate SSL certificate selection from virtual host configuration in apache

Related Topic