I’ve been looking for a solution to this problem for a long time.
Basically apache2 is not able to do name-based virtual hosting if you
also want to use ssl. The reason for this problem is very simple. In
order to know then hostname, apache2 I need to establish a secure
channel, but to establish a secure channel, if I have more then one
virtual host, then I need to know the hostname, that is, to provide
the client the correct certificate. There is also a better explanation
on the apache website [1].
There correct solution to this problem is to use the TLS extension
called SNI [2]. This is provided by two different apache modules:
mod_gnutls and mod_ssl.
There are two nice tutorials one for mod_ssl [3] and the other one for
mod_gnutls [4] . If you are running lenny (debian testing at the time
of writing), you can just install mod_gnutls. If you are running etch,
then your best bet is to recompile apache with the mod_ssl patch to
support SNI. The first tutorial [3] is about the latter option. The
patch can be downloaded from this website [5] mentioned also in [3].
The tutorial explains how to recompile the package. The only thing
I’ve done is to use pbuilder to automate the process. In particular,
if you’re building the apache2 package in pbuilder, you need to
recompile openssl first, then to install in your pbuilder image and
then build apache. This is the command I’ve used to add the package.
sudo /usr/sbin/pbuilder --login --save-after-login --bindmounts /var/cache/pbuilder/
dpkg -i /var/cache/pbuilder/results/libssl*.deb /var/cache/pbuilder/results/openssl*.deb
so far so good. I’ve save myself an big headache.
:)
[1] http://httpd.apache.org/docs/2.1/ssl/ssl_faq.html#vhosts2
[2]http://en.wikipedia.org/wiki/Server_Name_Indication
[3]http://www.how2forge.org/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch
[4]http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/
[5]https://dave.sni.velox.ch/