所以步驟如下
1.更新Openssl至0.9.8j以後或最新
2.啟用SSL虛擬網站,在httpd-ssl.conf 設定NameVirtualHost
3.在httpd-ssl.conf SSLStrictSNIVHostCheck off ←這段要自己加
基本上這樣就完工前置作業了,剩下比照一般SSL網站新增即可!
慢著… 有這麼簡單的話,我還需要一周的血和淚測試嗎?當然沒有,因為你八成會遇到下列一個問題!
Q3.yum update openssl 只到0.9.8e 如何手動更新到最新?
Q4.就算openssl更新到最新了,apache也設定完了,重新啟動apache時出現「OpenSSL is not built with support for TLS extensions」 一樣GG?
This week in exchange for the blood and tears of experience to share ..
Working Background: CentOS, Apache2 (built-in self and are tested)
OpenSSL is not built with support for TLS extensions
Common Apache + mod_ssl + openssl to complete the job site SSL encryption.
But if there is a host on a virtual host, when you install the second SSL certificate, you will find what is wrong means, the host does not recognize the second or subsequent certificate!
This is because the OpenSSL default authentication method is IP-BASE, a IP on a certificate.
Want to solve this way has updated OpenSSL to 0.9.8J later, there is support SNI mode (Server Name Indication) vernacular is to use the URL to identify the certificate.
Introduction
According to the classical early SSLv2 Public Key Infrastructure PKI (Public Key Infrastructure) design, it defaults to that: a server (or an IP) will only provide a service, so the SSL handshake, the server can be sure that the client application which certificates.
But people never imagined that web hosting vigorously developed, which resulted in a situation corresponding to a plurality of IP will domain names. Some solutions, such as pan-domain certificate application, all * .yourdomain.com domain can be authenticated, but if you have a yourdomain.net domain, it is not.
In the HTTP protocol, the request of the domain name as the host header (Host) on the HTTP Header, so the server knows which domain should be directed to the request, but early SSL can not do this, because the SSL handshake process, Host will not have the information, so the server-side configuration is usually returned in the first available certificate. Thus some older environment, may produce multi-domain certificates are a good job, but the return is always the same.
Since the cause of the problem is the lack of host header information when SSL handshake, then fill it wants.
SNI (Server Name Indication, meaning “Server Name Indication”) is defined in RFC 4366, is an improvement for SSL / TLS technology is enabled in SSLv3 / TLSv1 in. It allows a client to initiate SSL handshake request (specifically, the client sends SSL requests ClientHello stage), Host submitted the requested information so that the server can switch to the correct field and returns the corresponding certificates.
To use the SNI, requires the client and the server at the same time to meet the conditions, but fortunately for modern browsers, most support SSLv3 / TLSv1, so you can enjoy the convenience brought by SNI.
Emphasis
Simple introductions, here I speak directly to the vernacular.
Q1. How to make Apache for HTTPS encryption work?
A1: openssl installed and enabled mod_ssl (teaching a bunch on the web)
Q2. There are many virtual hosts sites, each would like to have an SSL certificate, but how loaded fail, Why?
A2. Because you have not enabled the openssl SNI host function
Well, see here is to know, only Bahrain openssl and mod_ssl is not enough, but also to enable SNI functions can allow the host to support multiple SSL!
General CentOS5.X probably built openssl version 0.9.8e, but unfortunately, at least to have a later version to 0.9.8J SNI.
Therefore, the following steps
1. Update Openssl to 0.9.8j or later date
2. Enable SSL virtual website, httpd-ssl.conf set NameVirtualHost
3. httpd-ssl.conf SSLStrictSNIVHostCheck off ← This add it myself
This basically completed the pre-work, and the rest can be added cf. general SSL site!
Wait … there are so simple, I still need a week to test blood and tears? Of course not, because you’ll probably experience one problem!
Q3.yum update openssl 0.9.8e only how to update to the latest manual?
Q4. Even if the latest update to the openssl, apache also set finished, there ‘OpenSSL is not built with support for TLS extensions “as GG when you restart apache?
These two issues are relatively relations, openssl is not updated to the latest case, the set will be complete apache Q4 problems, even if the latest update to the problems still arise Q4, says opensll update untrue.
If the self-made Apache please recompile Apache again after the update finished OPENSSL
Manually update the OpenSSL teaching (here is the essence of a week in exchange for experience, here you see the article really earn, no solution on the web)
0. The first use yum install built-openssl
1. go openssl official website to download the latest zip file and unzip into the directory
2. Run “./config -prefix = / usr -openssldir = / usr / local / openssl enable-tlsext shared” Please execute verbatim contain symbols
3. then make install
4. Complete the installation view opensll version openssl version should then appear on the latest version of the version number!
Well, if you are using the built-in apache, to the side has been completed, the computer should be re-opened after it OK, but if you are self-compiled apache, then compile apache needed additional parameters, refer to the following
“-enable-Ssl -with-ssl = / usr / local / openssl”
Then recompile PHP should let him support openssl, compiled the following parameters “-with-openssl”
To be considered formally completed here!
Finally, remember to turn on the firewall 443 ah !!
Blue part is I tried out a week after the trial experience, very precious ………
To commemorate the week of brain cells I decided to write this article
