Forum
How to setup TLS with SNI ?
Da JoJo
19 March 2013, 21:46
Hi,
I tried to setup my webserver to use TLS with SNI but it seems not to work.
i removed line from bind 443 port and have add the line to virtual host as the manual says to use it for SNI
VirtualHost {
Hostname = www.website.nl, *.website.nl
SSLcertFile = C:\Program Files\Hiawatha\config\certificate.pem
but i get a plain http over https connection.
when i put it in the hiawatha config in the Bind {} for port 443 it works.
but i need like minimum 3 different certs on the same server ip and i would like to use this feature.
it is supported by IE10 this 4096 bits keys and TLS1.1 and 1.2 . Firefox sucks and does not support it , perhaps next year(Foutcode: ssl_error_protocol_version_alert).
chrome supports it too. i have no idea if they support the SNI but i guess IE10 does. alas it is not working.
am i doing anything wrong or am i missing something ?
Hiawatha version: 8.8.1
Operating System: windows 7 x64 ultimate
I tried to setup my webserver to use TLS with SNI but it seems not to work.
i removed line from bind 443 port and have add the line to virtual host as the manual says to use it for SNI
VirtualHost {
Hostname = www.website.nl, *.website.nl
SSLcertFile = C:\Program Files\Hiawatha\config\certificate.pem
but i get a plain http over https connection.
when i put it in the hiawatha config in the Bind {} for port 443 it works.
but i need like minimum 3 different certs on the same server ip and i would like to use this feature.
it is supported by IE10 this 4096 bits keys and TLS1.1 and 1.2 . Firefox sucks and does not support it , perhaps next year(Foutcode: ssl_error_protocol_version_alert).
chrome supports it too. i have no idea if they support the SNI but i guess IE10 does. alas it is not working.
am i doing anything wrong or am i missing something ?
Hiawatha version: 8.8.1
Operating System: windows 7 x64 ultimate
Hugo Leisink
20 March 2013, 10:11
You need to include the SSLcertFile option in the binding section, so Hiawatha knows it's a TLS/SSL binding. The specified certificate will be the default one. Also use the SSLcertFile option in a virtualhost section if you want to enable SNI. So, in your case you need to use the SSLcertFile four times, one in the binding section and three in virtualhost sections.
Da JoJo
20 March 2013, 17:01
ah thnx
turned out the privatekey got screwed.
i have 3 different website names domaina.nl domainb.nl and domainc.nl
if i put the certificate in the binding for ssl port 443 it is the one for domaina.nl , so when i connect to domainb.nl it will say its domaina .
need i make different bindings ?
trying to understand the principle here lol.. confusing as it is.
btw for the ssl certificate one can ommit the CA cert as it is in browser allready and causes traffic like 1 handshake for nothing.
decrypted privatekey>servercert>intermediarycert is enough
concratulations on reaching the A status on SSL Labs . scoring highest of all. this is really great Hugo
good news also is that due to my showcase the dutch firm ESTEC is going to use your server as well. with ur wellbeing offcourse
turned out the privatekey got screwed.
i have 3 different website names domaina.nl domainb.nl and domainc.nl
if i put the certificate in the binding for ssl port 443 it is the one for domaina.nl , so when i connect to domainb.nl it will say its domaina .
need i make different bindings ?
trying to understand the principle here lol.. confusing as it is.
btw for the ssl certificate one can ommit the CA cert as it is in browser allready and causes traffic like 1 handshake for nothing.
decrypted privatekey>servercert>intermediarycert is enough
concratulations on reaching the A status on SSL Labs . scoring highest of all. this is really great Hugo
good news also is that due to my showcase the dutch firm ESTEC is going to use your server as well. with ur wellbeing offcourse
Hugo Leisink
20 March 2013, 17:57
What you need is a configuration like this:
For this to work, your browser needs to support SNI, which most modern browsers do. If a file from domaina.nl, domainb.nl or domainc.nl is requested, the according certificate will be used. For a file from any other virtual host or the default host, the certificate from default.pem will be used.
Well, of course!
Binding {
Port = 443
SSLcertFile = default.pem # this could be one of the domain[abc].pem files
}
virtualhost {
Hostname = domaina.nl
...
SSLcertFile = domaina.pem
}
virtualhost {
Hostname = domainb.nl
...
SSLcertFile = domainb.pem
}
virtualhost {
Hostname = domainc.nl
...
SSLcertFile = domainc.pem
}
For this to work, your browser needs to support SNI, which most modern browsers do. If a file from domaina.nl, domainb.nl or domainc.nl is requested, the according certificate will be used. For a file from any other virtual host or the default host, the certificate from default.pem will be used.
with ur wellbeing offcourse
Well, of course!
Da JoJo
20 March 2013, 23:05
ah great, that explains a lot. i will try to accomplish this.
btw, thank you so much for all your time and effort you put in this superwebserver and the explanations you give. really rocks.
i got 97% A status on ssllabs for my website.. this is pretty amazing !
ServerKey RSA 4096 bits Signature algorithm SHA256withRSA
private intermediate server CA Key RSA 2048 bits SHA256withRSA
CA key RSA 4096 bits / SHA1withRSA
protocols supported TLS1.1 and TLS1.2 only (forced with MinSSLversion)
using Cipher Suite : TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 4096 bits (p: 512, g: 1, Ys: 512) 256
btw, thank you so much for all your time and effort you put in this superwebserver and the explanations you give. really rocks.
i got 97% A status on ssllabs for my website.. this is pretty amazing !
ServerKey RSA 4096 bits Signature algorithm SHA256withRSA
private intermediate server CA Key RSA 2048 bits SHA256withRSA
CA key RSA 4096 bits / SHA1withRSA
protocols supported TLS1.1 and TLS1.2 only (forced with MinSSLversion)
using Cipher Suite : TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 4096 bits (p: 512, g: 1, Ys: 512) 256
Da JoJo
20 March 2013, 23:09
IE10 > supports everything.. have to turn on in advanced settings support for TLS1.1 and TLS1.2 . all protection mode on, works great.
Chrome > supports native up to TLS1.1 . on TLS1.2 you get a SSL cypher error
Firefox > totally sucks. No TLS1.1 nor TLS1.2. does not come up with the right error code. messes up totally.
Opera > no idea dont use it.
Chrome > supports native up to TLS1.1 . on TLS1.2 you get a SSL cypher error
Firefox > totally sucks. No TLS1.1 nor TLS1.2. does not come up with the right error code. messes up totally.
Opera > no idea dont use it.
Hugo Leisink
21 March 2013, 10:31
Yup, those Mozilla guys are very stubborn in not supporting TLS/1.1 and TLS/1.2 yet. Their excuse is that only a few webservers support TLS/1.1, which is bullshit. However, NSS, the crypto library Mozilla uses, recently included support for TLS/1.1. So, maybe Mozilla will soon come to its senses.
Da JoJo
21 March 2013, 11:42
yes i spoke to them and they are going to implement it.. on the other hand.. thats what they are telling us for couple of years now.
the few webservers supporting it would be hiawatha, apache, ngix, IIs .. this is majority of webservers lol
the crypto lib supports TLS1.2 allready for at least a year. TLS1.1 is going to be implemented in the 19.1 beta version of Firefox.
the few webservers supporting it would be hiawatha, apache, ngix, IIs .. this is majority of webservers lol
the crypto lib supports TLS1.2 allready for at least a year. TLS1.1 is going to be implemented in the 19.1 beta version of Firefox.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
