Filed with Developers [Case 46856] SNI ( Server Name Indicator ), SSL support in cPanel

[Emdy]

Discussion on SNI, SSL, HTTPS, IP address, etc and
Poll : Do you want to see/have full/more support of SNI, SSL in CPanel ?
* Yes
* Yes, More Options
* No

Does cPanel supports SNI ( Server Name Indicator ) ( its a TLS extension, mod_gnutls ) ?

SNI allows a hosting server to use/share only 1 IP address to host hundreds of virtual hosts each with its own SSL certificates.

Usually SSL implementation (like, for delivering content through HTTPS Secured Web Pages) is done for each virtual host by binding it with one dedicated/unique IP address.

Improvement of this feature will help us to provide & implement SSL certificate for each virtual host, by using only 1 shared IP address, is a great way to reduce the need of extra IPs, thus saving the cost of dedicated IP, and by also improving the overall whole package.

How much SNI support does cPanel currently have ?

Below are some related links :
SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls :
http://www.g-loaded.eu/2007/08/10/ss...th-mod_gnutls/.
How to use SNI : http://fedoranews.org/cms/node/2875.
How To Enable Multiple HTTPS Sites For One IP On Debian Etch Using TLS
Extensions : http://howtoforge.com/enable-multipl...on-debian-etch.
Paul found a way to use mod_gnutls for implementing TLS SNI : http://journal.paul.querna.org/artic...ion/?postid=70.
TLS upgrade : http://corelands.com/blog/?postid=51.
mod_ssl : http://httpd.apache.org/docs/2.1/mod...html#sslengine.
mod_gnutls : http://www.outoforder.cc/projects/apache/mod_gnutls/ .
SNI (Server Name Indication) : RFC-3546 section 3.1 :
http://www.ietf.org/rfc/rfc3546.txt.

Anyone else have other links related with SNI implementation ?

Thanks.
~ Emdy Ash. (06/19/2008,1:59PM,Thu,PST).

[cpanelkenneth]

This won't happen at least until all the major browsers actually support SNI.

[Emdy]

Hi kenneth,

These have support for SNI already :
* Opera support this since 7.60, Technical Preview 1 : http://my.opera.com/community/dev/tp/760/tls11/info/
* Microsoft Internet Explorer supports it as of IE7 Beta 2 (only for Windows Vista, not for Windows XP) : http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx
* Firefox does support it since Firefox 2.0 (bug 116169). Support in the underlying nss library client is present since 2006, see bug 116168 for details.
* Konqueror should support it in 4.0 (bug 122433)
* Safari: A webkit bug on ?OpenDarwin was filed (http://nikolasco.livejournal.com/343541.html) but closed invalid as this has to be implemented in Apple's libfoundation (?OpenDarwin Bug 9502, not accessible any more due to ?OpenDarwin's shutdown). The Apple Radar bug number for this should be 4591827, but this bug is not accessible by the general public so the status of it remains unkown.

It should still be implemented as an option at least, as very soon all of them will support it completely.

If you're not prepared from now, you will be left behind, and you're already is.
Please give it urgency.
~ Emdy Ash. (06/24/2008,7:30PM,Tue,PST).

[SageBrian]

Hi kenneth,
These have support for SNI already :
* Microsoft Internet Explorer supports it as of IE7 Beta 2 (only for Windows Vista, not for Windows XP) : http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx

There's the big one. IE.
Besides the lingering bunch of IE6 people, the bigger issue is Vista.
If IE7 only supports it in Vista, and not XP, then we have a large base of XP users who are not going to upgrade to Vista.

I love the concept of SNI (without reading any of the info on it), but would it be just a quick patch until we finally switch to IPv6?

[cpanelkenneth]

There are several problems with SNI, which we have been monitoring for a while. The browser problem is just one. If less than 25% of the installed browser base cannot support SNI then that is a major issue. Of the ones provided above, there is little mention of embedded browsers.

Another is lack of support for SNI in the OpenSSL install base. While OpenSSL 0.9.8 does have support for SNI in certain versions, that is of little consolation if a significant portion of the install base cannot make use of it since the OS Vendor does not provide the version needed. GnuTLS is simply not suitable for deployment, due to performance issues, on very busy sites/servers.

There are other issues beyond the two mentioned above. We will continue to monitor the landscape for SNI deployment possibilities.

[JamieW]

Yeah, SNI or something almost seems required now. IE under Vista and Firefox 3 now completely block you from accessing an SSL secured site if the domain on the certificate doesn't match the one you are trying to access, and if your sites are name-based, then that means you're pretty much boned, it seems.

Under Firefox 3 at least it has a link right there to "add an exception," but only with a lot of big scary "get me out of here!" messages and warnings. And under Vista I don't even know how to allow an exception.

Your average casual user who doesn't understand how this works probably isn't going to do any of that, unless you hold each one's hand and walk them through it, telling them that "yes, even though your browser says if you click there kittens will die and the world will explode, go ahead and click it and say yes."

Or am I missing something and is there a way I can install a domain-specific SSL cert for a name-based domain, so that the browsers will allow users into their cpanels and webmail?

[cPanelDavidG]

...

Or am I missing something and is there a way I can install a domain-specific SSL cert for a name-based domain, so that the browsers will allow users into their cpanels and webmail?

In Tweak Settings you can set the option for "When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to:" to "SSL Certificate name."

For similar options, look at the adjacent settings in Tweak Settings.

As for installing a SSL Certificate for cpsrvd (the daemon that serves cPanel, WHM and Webmail), go to WHM -> Service Configuration -> Manage Service SSL Certificates and for cPanel/WHM/Webmail click on the "Install new Certificate" link.

I'm not sure if this is precisely what you were looking for, but just thought I'd give a head's up on this functionality.

[JamieW]

Thanks for the info, David.

The first one for mine was already set to "SSL Certificate name."
The other option you gave seems to only allow me to replace the one there, not add more for each domain.

What I have is say domain1.com, domain2.com, domain3.com, all name-based with the same IP address.
If I set the security cert to match correctly for domain1.com, then when someone logs in for domain2.com or domain3.com, they get an error saying the cert is invalid because it's for domain1.com, not the one they're logging in on.

What I need is a way to have self-signed certs for each named-based domain, but cpanel says I have to have an IP-based one to install a cert.

When a cert is requested, can the server tell what domain it is being asked for (like the way when a web page is asked for, it knows what domain to look up)? If so, then perhaps multiple certs can be saved on the server for a given IP, and if one matches what's being requested, serve that one, or else serve the default one.

Mainly I just want some way my clients with name-based sites to be able to access their secure cpanel, webmail, and such without being blocked.

[cPanelDavidG]

Well, keep in mind, SSL certificates are bound to a single IP address. You cannot have multiple SSL certificates bound to one IP address, it simply doesn't work.

I recommend acquiring a SSL certificate for your hostname and redirecting users to the hostname for logging into their cPanel/WHM/Webmail interfaces via SSL.

SNI, which was mentioned in the original post, is not supported at this time and is not widely used as noted by the lack of browser support.

[gearheadhost]

Is there an update on the SNI idea for cPanel or are we still waiting on more browser and OpenSSL support?

[micho101]

And another year passed... SNI supported yet or will be soon?

[cPanelDavidG]

And another year passed... SNI supported yet or will be soon?

Unfortunately, it seems that even as it's been almost 2 years since Kenneth's posts above, much of the complicating factors remain.

Even with CentOS 5.4, it uses OpenSSL 0.9.8e. Unfortunately, 0.9.8f is required for SNI support server-side.

On the client side, MSIE 6 doesn't support SNI according to https://sni.velox.ch. While MSIE 6 usage is down to ~9% according to W3Counter - Global Web Stats, another complicating factor is Windows XP (under which many browsers do not support SNI according to https://sni.velox.ch) remains in use by ~53% of folks according to W3Counter - Global Web Stats.

Overall, this still a solution that wouldn't be available to many of those accessing websites on a cPanel/WHM server. We will continue monitoring the landscape as browsers that do not support SNI are no longer used and server operating systems begin supporting versions of OpenSSL that support SNI.

[tibbitts]

We would definitely like to have the capability for name-based virtual hosts to have ssl, although I was not aware of the 0.9.8e issue, which would still be a problem for the rh/centos environment. But the client-side really has never been an issue, because many site developers don't hesitate to simply declare that anyone visiting a site needs the very latest browser/flash/java/whatever.

I don't know the answer to this, but what happens if you access a site with the extensions for domain-based hosting and ssl? Just the usual certificate warning? Or something else?

Paul

[cpanelkenneth]

But the client-side really has never been an issue, because many site developers don't hesitate to simply declare that anyone visiting a site needs the very latest browser/flash/java/whatever.

If there is any truth to the list in the wikipedia article on SNI (Server Name Indication - Wikipedia, the free encyclopedia), it looks like Opera and Firefox work with SNI on Windows XP. IE, Chrome and Safari don't, on Windows XP. That's news to me.

[anzenketh]

I say due to lack current browser base support it would be a good idea in the future but not now.