Submitted by Locutus on Sat, 07/09/2011 - 13:52
I have only one IPv4 address allocated for the host in question (scarceness is ever-growing), on eth0, but an arbitrary number of IPv6 addresses available, on eth1.
Now, if I want to create a virtual server with SSL website, and to overcome the "only one SSL per address" issue, I want to give it only an IPv6 address, no IPv4... How would I go about that? Am I assuming right that Virtualmin does not support that yet?
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Sat, 07/09/2011 - 15:59 Comment #1
No, Virtualmin doesn't support this yet. And even if it did, your ssl sites wouldnt be accessible via IPv4, at least not with valid certs. So unless you are willing to switch to accepting v6 only clients, that isnt a very useful configuration in my opinion...
Submitted by Locutus on Sat, 07/09/2011 - 16:35 Comment #2
IPv6-only SSL sites is exactly what I'm trying to experiment with in this case, to start working towards the future. :)
After all, sooner or later, for these use cases, IPv4 with fade out. Probably sooner than later -- current example being my hoster who just now has started charging monthly fees for /27 IPv4 subnets. I.e. it'll become less and less affordable to assign IPs per SSL site.
Submitted by JamieCameron on Sat, 07/09/2011 - 16:39 Comment #3
Come to think of it, Virtualmin will let you create what is effectively an IPv6 only SSL site - just enable a v6 address and the SSL feature, but use a shared v4 address. You will get a warning about a certificate clash on the v4 address, but this can be skipped. As far as I know, the right cert will be used for clients connecting to the v6 address..
Submitted by Locutus on Sat, 07/09/2011 - 16:42 Comment #4
Mmmh, okay, I will check that out! Indeed I got that warning, but could skip over it. Thanks for the hint.
Just one possible issue with this: Won't the conflicting cert cause the already existing, and possibly intended, v4 SSL site to become borked?
I'll test it.
Submitted by JamieCameron on Sat, 07/09/2011 - 16:47 Comment #5
As long as the intended IPv4 SSL site was created first, you will be OK..
Submitted by Locutus on Sat, 07/09/2011 - 17:01 Comment #6
Ah, this means when VM notices that, when I turn on "SSL website", a cert already exists in another vserver for the shared IP in question, it will skip the cert generation and instruct Apache to use the existing one, with the effect that it does not match the hostname and stuff?
Mmh, I just recall about a method to have Apache use different certs on the same IP... some HTTPS protocol extension that passes in the hostname of the requested web site during the SSL setup. "SNI" it was called... "Server Name Indication".
I think an Apache module was needed for that. Virtualmin does not by chance support that? :) Or maybe you have plans to include it in the future. Especially with diminishing IPv4 space it will probably get more attention.
Submitted by JamieCameron on Sat, 07/09/2011 - 17:36 Comment #7
Not quite - if you create an SSL site on the same IP as an existing SSL site, the cert will only be re-used if it is suitable for both domain names (for example a wildcard cert). Otherwise a new separate cert will be generated.
SNI would solve this issue, but unfortunately not all browsers support it yet..
Submitted by Locutus on Sat, 07/09/2011 - 18:09 Comment #8
Okay, yes I see that now.
I just reported another bug... which caused me to look at the settings for the same Apache virtual server, when trying to compare two separate test servers, which quite confused me when evaluating this thing here. ;)
This one here can be considered closed for now.