Server Name Indication

We can configure a separate certificate label with Server Name Indication (SNI) support for IBM HTTP Server, based on the hostname requested by the client. The configuration can be done either by defining name-based SSL virtual hosts or by using the SSLSNIMap directive. We cannot use other handshake-related settings from a name-based virtual host with SNI.


Definitions for SNI

  • Each virtual host with a matching address-spec, such as "*:443", forms a name-based virtual host group.

  • The first listed virtual host in a name-based virtual host group is the default virtual host.


Requirements for SNI

  • The default virtual must specify the SNI argument to the SSLServerCert directive.

  • Only virtual hosts with a single address-spec (such as "*:443") can participate in SNI.

  • Non-default virtual hosts for a name-based virtual host must not contain directives from this module other than SSLServerCert and SSLEnable directives.

  • "invalid" is a reserved server name. Virtual hosts must not specify "ServerName invalid".

Forms of SNIThere are two forms of SNI:

  1. In the first form of SNI, only a single virtual host is used, and the SSLSNIMap directive is used to map between host names and certificate labels.
    <virtualhost *:443>
      ServerName example.com
      SSLEnable SNI
      SSLServerCert default
      SSLSNIMap a.example.com sni1-rsa
      SSLSNIMap a.example.com sni1-ecc
      SSLSNIMap b.example.com sni2
    </virtualhost>

  2. In the second form of SNI, a series of virtual hosts are created, and the mapping from hostnames to certificate labels is via ServerName, non-wildcard ServerAlias, and SSLServerCert.
    <virtualhost *:443>
      ServerName example.com 
      SSLEnable SNI
    </virtualhost>
    <virtualhost *:443>
      ServerName a.example.com 
      SSLEnable 
      SSLServerCert sni1
    </virtualhost>
    <virtualhost *:443>
      ServerName b.example.com 
      ServerAlias other.example.com
      SSLEnable
      SSLServerCert sni2
    </virtualhost>


Related tasks