Gentoo: TLS/SSL and name-based Apache virtual hosts using mod_ssl

With the introduction of the TLS SNI extension (transport layer security server name indication), name-based virtual hosts (i.e. virtual hosts sharing the same IP address) can now use distinct SSL certificates.

Here’s how to configure TLS SNI on Gentoo, using Apache:

1) DON’T try to set up TLS SNI using mod_gnutls. When I tried it on January 30, 2009, mod_gnutls still seemed to be too experimental and unstable for reliable TLS SNI (I observed some non-deterministic behaviour).

2) It does work fine though with a reasonably current version of OpenSSL and a patched Apache mod_ssl. And here, Gentoo shines once again: With Gentoo, you don’t need to manually patch Apache or OpenSSL! All you have to do is add the “sni” use flag to Apache in /etc/portage/package.use:

www-servers/apache sni

and remerge Apache (’emerge -auDNv apache’).

Note that Gentoo’s OpenSSL is already SNI-enabled by default (since openssl-0.9.8g-r2.ebuild) – remerge/update OpenSSL if required.

The configuration of SNI-enabled name-based virtual hosts in Apache is transparent, i.e. works the same way as for SSL-enabled, non-SNI name-based virtual hosts (of course you’ll want to use different certificates for every virtual host and specify them, as explained on Kaspar Brand’s TLS SNI test site).

Have fun!