Jump to content
Froxlor Forum
  • 0

SSL per domain / SNI (Feature #365)


maxwinkel

Question

Hi all,

 

I just upgraded from 0.9.29-rc(1 / 2 ?) to 0.9.31.2, mainly because of the missing SNI feature (and the IPv4/IPv6 dualstack :)).

 

According to http://redmine.froxlor.org/issues/365, SNI configuration (SSL certificate configuration per domain) should be available in this release. But in the domain configuration I don't see any inputs to configure the certificate files. Am I missing something or is it just not done yet?

 

I am using Debian 7 with Apache 2.2 and OpenSSL 1.0.1e. In principle SNI works for me as I configured it manually in the domains vhost settings. But this is a bit dirty since the SSL options will then also be inserted to the non-ssl configuration file. For the certificate configuration this is alright, because without "SSLEngine On" it will just be ignored. But for some SSL redirections this a bit painful because it requires some rather complex rewrite conditions.

 

Thank you!

 

Best regards,

 

Max

Link to comment
Share on other sites

8 answers to this question

Recommended Posts

Hi d00p!

 

Thank you. With your help I finally found it.

I was searching for the features as admin.

 

I've got two more questions:

  1. Are the certificates (and the private keys) stored to the database (perhaps temporarely)? If yes (what I assume), this is very critical since the private key must be kept private under all circumstences. Storing the private key to a database is perhaps not the best idea. Is it possible (or planned) to just give the path of the certificate and the key file instead of pasting the content to the textfield? Keeping files private is easier then keeping mysql data private.
  2. Is it possible (or planned) to set the certificate data from within the admin view?

Best regards,

 

Max

 

PS.: (diesmal auf deutsch): Coole Filmauswahl auf deiner Amazon Wishlist. Ich hoffe, sie ist noch aktuell? :)

Link to comment
Share on other sites

1. the keys actually are stored to the database - which is because a customer cannot put files onto the server (only in his docroot, which would be stupid because then the file could be downloaded). It is possible to define files for IP/Ports - but not for domains (because these are admin-side settings).

 

2.  neither possible, nor planned. As admin, you can always switch to the customer you want to edit the domain from

 

PS: danke und ja, ist aktuell :)

Link to comment
Share on other sites

d00p, can you give me a little guidance with SSL?

I don't know a lot about it, obviously...

 

Do I need a separate ip? I'm currently on a VPS so I don't understand. I'd have to assign the domain the IP it's already using.

So under the SSL config in the IP administration it asks for paths to different files. Obviously I could add these and such, but how does it work so that my customers each have their own SSL certificate or whatever?

Sorry for the misunderstanding/lack of knowledge,

 

-Lane

Link to comment
Share on other sites

Hi Lane,

 

let me give you a short introduction to SSL: For quite some time it was indeed only possible to have one SSL certificate per IP address. This is, because name based virtual hosting is (was) not compatible with the concepts of SSL certificates: During the SSL handshake (which is perfomed right after the TCP/IP connection is established), the server has to provide a certificate which includes the hostname, the client is connecting to. But: If there are several hostnames for one and the same IP address, the server can not know the hostname the client is requesting and can not offer the correct certificate (the hostname will be transfered later as an HTTP header). Therefore, it was so far only possible to define one certificate per IP.

 

A rather new technique called SNI (Server Name Indication) solved that problem by transferring the hostname unencrypted as part of the SSL handshake. Now the server knows which certificate to offer. It is by now supported by most web browsers.

 

Froxlor offers both possibilities: You can either store one certificate file per IP on the server and provide the path name to the certificate in the IP config, or the customer may specify the certificates content for each domain in the domain config.

 

In both cases you usually need two or three files: The certificate, which is the signed, public RSA/DSA key together with some meta information (like the hostname(s) it is valid for), the private key for the certificate and optionally a certficate chain (that is a collection of immediate certificates needed to verify the signature of your certificate against a known root (CA) certificate). Usually you have to generate a private/public key pair (using openssl), generate a certificate signing request (CSR) and let it sign by some CA provider. You will then get the certificate and if needed a chain file.

 

I hope, this is helpful :)

 

Best regards,

 

Max

Link to comment
Share on other sites

I really appreciate the explanation Max.

Help me understand a little further please, maybe a little more practical.

Can you direct me to how I would setup an SSL certificate? Do I need to pay? 

My SSL settings look like so...

XIwmS3C.pngFrankly I don't understand where to go from here... Because I've heard/read that you have to pay for an SSL certificate and such.

Sorry man,

-Lane

Link to comment
Share on other sites

That is true. You can either BUY a "real" ssl-certificate or you can create a SELF-SIGNED certificate. A very nice tutorial can be found here: http://www.akadia.com/services/ssh_test_certificate.html

 

You will then have to add an IP/Port in froxlor with port 443 and SSL-enabled (at the bottom). Now you will be able to assign this SSL-enabled IP to any of your domains. That's it.

Link to comment
Share on other sites

Hi,

 

I want to comment a bit on the tutorial:

First of all, I would recommand a minimum key length of 2048 bit. I always use 4096 bit. On most systems this should not affect the performance but gives a great benefit for security. But if in doupt, 2048 should also be alright.

 

If you want to have a self signed certificate, you can also get in one step:

 

openssl req -new -newkey rsa:4096 -keyout filename.key.pem -nodes -x509 -days 365 -out filename.cert.pem

 

-newkey rsa:4096 will generate a RSA key with a length of 4096 bit

-nodes tells the program not to encrypt the key (= "No DES encryption")

-x509 tells openssl to output a self signed certificate

-days 365 specifys how long the certificate will be valid (365 days from now)

 

filename.key.pem is the resulting private key file, filename.cert.pem the resulting certificate file.

 

(see "man req" for more details)

 

The program will ask you some questions. Except for the common name, which MUST be the exact name of the domain you want to use, you may provide any information.

Note, that your browser will not be able to verify your certificate and will print a security warning when connecting to your server. If you just want to use the encrypted connection for yourself of just a handfull of people who personally know you and can ask you about your certifcate, this is the right choice, since it's free :)

 

If you however want to publish your SSL page, you should consider buying a certificate. Instead of generating a self signed certificate, openssl will generate a so called certification request which is your public key together with the information you want to include to your certifcate. This request will be sent to some CA provider which will sign the request and send you a valid certificate back. Note: The private key never leaves your machine. You only send them your certifcate signing request (CSR).

 

To generate the CSR also use the req command of openssl, just withou the -x509 option (and without the -days options, since it will be ignored):

 

openssl req -new -newkey rsa:4096 -keyout filename.key.pem -nodes -out filename.req.pem

 

Then you just send the filename.req.pem file to the CA, wait for the certificate to come back and install it.

 

I hope it's OK to say, that I made good experiences with the certificates offered by www.psw.net. The prices are very cheap and usually you get your certificate within a couple of minutes. But I don't know if the only sell the certificates to german customers or worldwide...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...