Server Name Indication
Server Name Indication (SNI) support for IBM® HTTP Server allows you to use certificate selection, based on the SNI extension that is sent by TLS clients. It does allow you to use other handshake-related settings from a name-based virtual host.
Definitions for SNI
- Each virtual host with a matching address-spec, such as "*:443", forms a name-based virtual host group.
- The first listed virtual host in a name-based virtual host group is the default virtual host.
Requirements for SNI
- The default virtual must specify the SNI argument to the SSLServerCert directive.
- Only virtual hosts with a single address-spec (such as "*:443") can participate in SNI.
- Non-default virtual hosts for a name-based virtual host must not contain directives from this module other than SSLServerCert.
- "invalid" is a reserved server name. Virtual hosts must not specify "ServerName invalid".
Forms of SNI
There are two forms of SNI:
- In the first form of SNI, only a single virtual host is used,
and the SSLSNIMap directive is used to map between host names and
certificate labels.
<virtualhost *:443> ServerName example.com SSLEnable SNI SSLServerCert default SSLSNIMap a.example.com sni1-rsa SSLSNIMap a.example.com sni1-ecc SSLSNIMap b.example.com sni2 </virtualhost>
- In the second form of SNI, a series of virtual hosts are created,
and the mapping from hostnames to certificate labels is via ServerName,
non-wildcard ServerAlias, and SSLServerCert.
<virtualhost *:443> ServerName example.com SSLEnable SNI </virtualhost> <virtualhost *:443> ServerName a.example.com SSLEnable SSLServerCert sni1 </virtualhost> <virtualhost *:443> ServerName b.example.com ServerAlias other.example.com SSLEnable SSLServerCert sni2 </virtualhost>