I’ve been looking for a solution to this problem for a long time. Basically apache2 is not able to do name-based virtual hosting if you also want to use ssl. The reason for this problem is very simple. In order to know then hostname, apache2 I need to establish a secure channel, but to establish a secure channel, if I have more then one virtual host, then I need to know the hostname, that is, to provide the client the correct certificate. There is also a better explanation on the apache website [1].

There correct solution to this problem is to use the TLS extension called SNI [2]. This is provided by two different apache modules: mod_gnutls and mod_ssl.

There are two nice tutorials one for mod_ssl [3] and the other one for mod_gnutls [4] . If you are running lenny (debian testing at the time of writing), you can just install mod_gnutls. If you are running etch, then your best bet is to recompile apache with the mod_ssl patch to support SNI. The first tutorial [3] is about the latter option. The patch can be downloaded from this website [5] mentioned also in [3].

The tutorial explains how to recompile the package. The only thing I’ve done is to use pbuilder to automate the process. In particular, if you’re building the apache2 package in pbuilder, you need to recompile openssl first, then to install in your pbuilder image and then build apache. This is the command I’ve used to add the package.

sudo /usr/sbin/pbuilder --login --save-after-login --bindmounts /var/cache/pbuilder/

dpkg -i /var/cache/pbuilder/results/libssl*.deb /var/cache/pbuilder/results/openssl*.deb

so far so good. I’ve save myself an big headache.

:)

[1] http://httpd.apache.org/docs/2.1/ssl/ssl_faq.html#vhosts2

[2]http://en.wikipedia.org/wiki/Server_Name_Indication

[3]http://www.how2forge.org/enable-multiple-https-sites-on-one-ip-using-tls-extensions-on-debian-etch

[4]http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-hosts-with-mod_gnutls/

[5]https://dave.sni.velox.ch/