Server Name Indication
We can configure a separate certificate label with Server Name Indication (SNI) support for IBM HTTP Server, based on the hostname requested by the client. The configuration can be done either by defining name-based SSL virtual hosts or by using the SSLSNIMap directive. We cannot use other handshake-related settings from a name-based virtual host with SNI.
Definitions for SNI
- Each virtual host with a matching address-spec, such as "*:443", forms a name-based virtual host group.
- The first listed virtual host in a name-based virtual host group is the default virtual host.
Requirements for SNI
- The default virtual must specify the SNI argument to the SSLServerCert directive.
- Only virtual hosts with a single address-spec (such as "*:443") can participate in SNI.
- Non-default virtual hosts for a name-based virtual host must not contain directives from this module other than SSLServerCert and SSLEnable directives.
- "invalid" is a reserved server name. Virtual hosts must not specify "ServerName invalid".
Forms of SNIThere are two forms of SNI:
- In the first form of SNI, only a single virtual host is used,
and the SSLSNIMap directive is used to map between host names and
certificate labels.
<virtualhost *:443> ServerName example.com SSLEnable SNI SSLServerCert default SSLSNIMap a.example.com sni1-rsa SSLSNIMap a.example.com sni1-ecc SSLSNIMap b.example.com sni2 </virtualhost>
- In the second form of SNI, a series of virtual hosts are created,
and the mapping from hostnames to certificate labels is via ServerName,
non-wildcard ServerAlias, and SSLServerCert.
<virtualhost *:443> ServerName example.com SSLEnable SNI </virtualhost> <virtualhost *:443> ServerName a.example.com SSLEnable SSLServerCert sni1 </virtualhost> <virtualhost *:443> ServerName b.example.com ServerAlias other.example.com SSLEnable SSLServerCert sni2 </virtualhost>
Related tasks