apache-2.2snissl
We have a web server with a couple of internet IPs.
I have successfully set up SNI name based virtualhosts, it's working great. What I'd like to do though is have our main site NOT use SNI and use one of the unique IP addresses alone so that our browser support for that site is improved (XP/IE combinations..)
We run a very popular site which has a significant amount of users running badly outdated browsers so it's quite important to us.
Running Apache 2.2 (2.2.15-47.el6_7) on CentOS 6.
SNI is initiated by the client, so you need a client that supports it. Unless you're on windows XP, your browser will do. If your client lets you debug SSL connections properly (sadly, even the gnutls/openssl CLI commands don't), you can see whether the server sends back a server_name field in the extended hello. Note that the absence of this field only means that the server didn't use the server_name in the client hello to help pick a certificate, not that it doesn't support it.
So, in practice the easiest test is to simply try connecting. For this you need to know two names that resolve to the same IP, to which an ssl connection can be made. https is easiest as you can then simply browse to both names and see if you're presented with the correct certificate.
There are three outcomes:
A slightly more complicated test which will yield more info is to have wireshark open and capturing while browsing. You can then find the relevant packets by filtering for ssl.handshake. The screenshots below are an example of a client hello/server hello pair where SNI is supported:
Again, of course the absence of a server_name field in the server hello does not indicate that SNI is not supported. Merely that the client-provided server_name was not used in deciding which certificate to use.
Update
So for some strange reason, the problem seems to have resolved itself.
Perhaps it's some sort of strange caching issue or something (though I have apache2ctl stop/start/restart and sudo service apache2 stop/start/restart/reloaded many times and have performed tests locally on the server as well as using several different machines).
Feel free to take this question down or leave it up if it serves as any sort of reference.
Thanks for all the help guys!
Best Answer
As others have stated just put the first site as the first virtual host and it will work whether SNI is enabled or not:
However non-SNI browsers to site 2 will be served the certificate for site1 and so will error (and the users might wonder why they've got a certificate for a different site, though if still on non-SNI browsers they are probably not that tech savvy).
However, it is possible to provide access to all users for all your sites, despite the apparent SNI issue, if you have a single certificate that covers all the sites subject alternative name field.
You can then have two virtual hosts using the same key and cert:
So you have the same key and certificate for two sites (or three, or more if you want).
So www.site1.com always works as, even without SNI support it's the default host.
For www.site2.com it gets more interesting:
So this works because a https connection involves two distinct and unrelated steps: 1) do SSL negotiation and 2) request document using that SSL connection, and these two steps do not have to be from the same virtual host (though most people assume it does).
The main downside with this option is that, depending how closely related the websites are, it may look unprofessional to have two different URLs on the same certificate. However, presumably if they are sharing a host, they are somewhat related businesses (unless the server is owned by a hosting company) so this may not be an issue.
I find this a handy little workaround, especially for dev servers where I might want to host several sites on one IP address, where I use self-signed cents with multiple URL in the subject alternative name field.