Configuring mod gnutls so that we can have HTTPS virtual hosts in apache

mod_gnutls allows us to have multiple HTTPS virtual hosts on same physical server with single IP address and multiple domain names. The certificate should be wildcard certificate like for *.iiit.ac.in, so that we can host any hostname with suffix iiit.ac.in with same certificate.

Installing and configuring mod_gnutls on Cent-OS

1. Install libgpg-error from ftp://ftp.gnupg.org/gcrypt/libgpg-error
2. Compile and install libgcrypt from source. Take libgcrypt from ftp://ftp.gnupg.org/gcrypt/libgcrypt
3. rm /usr/lib64/httpd/modules/*tls*
4. cp /usr/lib64/libgnutls* /usr/lib64/httpd/modules/
5. Configure and make mod_gnutls from http://linux.wareseeker.com/download/mod-gnutls-0.2.0.rar/319193. Do not make install
6. cp src/.libs/libmod_gnutls.so /usr/lib64/httpd/modules/
7. cp data/{rsa,dh}file /etc/httpd/conf (Very important step. Do not miss)
8. cd /usr/lib64/httpd/modules/
9. mv libmod_gnutls.so mod_gnutls.so
10. Put LoadModule gnutls_module modules/mod_gnutls.so in /etc/httpd/conf/httpd.conf
11. Put

    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    in /etc/httpd/conf/httpd.conf

12. mkdir -m 0700 /var/cache/mod_gnutls_cache
13. chown apache:apache /var/cache/mod_gnutls_cache
14. Put

    GnuTLSCache dbm "/var/cache/mod_gnutls_cache"
    GnuTLSCacheTimeout 300

    in /etc/httpd/conf/httpd.conf

15. Do configuration in /etc/httpd/conf/httpd.conf for 443 virtualhosts like

    NameVirtualHost *:443
    <VirtualHost *:443>
    ServerAdmin a@b.com
    DocumentRoot /home/test1/html
    ServerName test1.barjatiya.com
    ErrorLog logs/test1.barjatiya.com-error_log
    CustomLog logs/test1.barjatiya.com-access_log common
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/httpd/conf/test1.pem
    </VirtualHost>

    where Certificate can be generated using openssl req -new -x509 -days 999 -nodes -out apache.pem -keyout apache.pem

    Do chown root:apache /etc/httpd/conf/httpd.conf and chmod 640 /etc/httpd/conf/httpd.conf so that normal users cannot read httpd.conf file when using virtual hosting

16. Comment VirtualHost setting in /etc/httpd/conf.d/ssl.conf

Working of HTTPS

During a HTTPS communication first a secure channel is established which required exchange of certificates. Since the client has not sent any request yet, server has no idea for which virtual host is the request going to come. Hence only one generic wildcard certificate is returned. After secure channel is established using the wildcard certificate, the client send HTTPS request and server sends HTTPS response. Now based on the domain name present in request appropriate virtual host is contacted and response is sent. Hence we cannot have HTTPS virtual hosts of two different domains on same apache server.

Back to Apache web server configuration