Yesterday, kind of out of the blue, I happened to remember SNI, Server Name Indication, an extension to TLS for web servers that happen to want to use VirtualHosts on HTTPS/SSL connections. I have just such a webserver here at home, which serves a few domains and has a self-signed certificate with Subject Alternative Names for each of them, (well, not really self-signed, its signed by my own CA certificate, which is installed on the required machines, which works out much better than the average self-signed certificate and is really simple to do.) which has worked fine, and continues to do so for the most part, for most of the hosts. On the other hand, now being a college student, and taking a course which has a fair amount of lab time, it gets annoying to have to use exceptions for the host I’m most likely to visit. So I started thinking about free SSL certificates and enabling apache to use SNI, since the browsers I use (Firefox mainly) support it, I was just lacking support on the server side.
OpenSSL 0.9.8 doesn’t out of the box include support for SNI, 0.9.9 will, supposedly, but I was in an immediate gratification mood and didn’t want to wait any longer. Fortunately, for 0.9.8f (and newer) its a compile time option, enable-tlsext. I had thought that it was already enabled by default though.
mod_ssl in Apache 2.2, doesn’t yet have support either, there is a patch, which has been committed to their trunk development code, and a back port written for 2.2 and 2.0, but neither of those have made it in (presumably, once OpenSSL 0.9.9 is released, it will land in 2.2 and Apache will support SNI out of the box, but that’s speculation on my part only.)
So, having had prior experience with compiling Apache modules on Windows. I decided to dust off my VC6 build environment, and set out to conquer.
Compiling OpenSSL is actually not hard, the instructions included with the source in the Install.W32 file are excellent, and aside from having to track down an assembler, since I lack masm (ml) in my copy of VC6 Standard, was painless. (as an aside, it being a cold morning of only 11F and a high expected to be only around 35F, made compiling nice, kept me warm for awhile. 🙂 ) For the assembler issue, I used NASM.
On the Apache side, the project files for VC6 included are quite nice, and after adding the required library and include paths for my newly compiled OpenSSL distribution (oops.), mod_ssl patched and compiled quite easily. (Helps when one is now comfortable with the way the Apache workspace and project files work, and selects the right active configuration (mod_ssl Win32 Release) the first time. In fact, things went pretty smoothly, and I even compiled a updated version of apr-dbd-mysql-1.dll while I was there with updated Apache source.
Testing was interesting, and fun, and shockingly, worked without a problem. If you want to test your browser for SNI, I definitely recommend visiting https://sni.velox.ch/, who are kind enough to not only host a test site for clients, but give example apache directives from their configuration. Once my own tests with my self-signed certificates here worked out, I got myself a free StartCom certificate for the website in need. By this point, it was too late to go ahead and actually set all this up in production, I learned awhile ago that nobody should actually made major changes to an Apache server after being up over 12 hours on 3 hours of sleep or less. That waited until today, where I moved my newly compiled libraries into place and updated the configuration and voila, the site in question now has a “real” certificate signed by a trusted (by-default) root.
So, as I have each time, that I’ve labored away at compiling something, I’m going to post the results for those of you who don’t (or can’t) compile yourself to benefit from. All of these files were compiled using Visual C++ 6, and will drop right in to the standard apache installation on windows.
- OpenSSL 0.9.8j with tlsext enabled (includes the libraries and headers to compile applications against, for fun, for apache, you only need libeay32.dll and ssleay32.dll (openssl.cnf/openssl.exe are optional))
- mod_ssl 2.2.11 with the SNI patch applied.
- And lastly, and unrelated to SNI, an updated copy of apr_dbd_mysql-1.dll, from apr-util 1.3.4 (as provided by the Apache 2.2.11 sources), which compiled without any problems this time.
You can find all of these files, as well as any future updates, on my new downloads page, along with a sha1 hash of each, since we are dealing with potentially sensitive files for your web server. I can’t guarantee these will work for you, or not, and probably can’t help if something goes horribly wrong, they’re provided in the hopes they’ll be useful only.