Server Name Indication

You can configure a separate certificate label with Server Name Indication (SNI) support for IBM HTTP Server, based on the hostname requested by the client. The configuration can be done either by defining name-based SSL virtual hosts or by using the SSLSNIMap directive. You cannot use other handshake-related settings from a name-based virtual host with SNI.

Definitions for SNI

  • Each virtual host with a matching address-spec, such as "*:443", forms a name-based virtual host group.
  • The first listed virtual host in a name-based virtual host group is the default virtual host.

Requirements for SNI

  • The default virtual must specify the SNI argument to the SSLEnable directive.
  • Only virtual hosts with a single address-spec (such as "*:443") can participate in SNI.

  • Non-default virtual hosts should not contain SSL directives other than SSLServerCert, SSLEnable, and KeyFile. All SSL handshake will occur with directives specified in the default virtual host, with certificate selection informed by SSLServerCert in any non-default virtual hosts.

    Other SSL directives that affect the SSL handshake have no effect (on the handshake) when specified in non-default virtual hosts. Some SSL directives take affect subsequent to the handshake, during request processing. These aspects of an SSL directive will still be effective.

    If the KeyFile directive is not specified in the global scope, the KeyFile directive must be specified despite not having any effect on the SSL handshake, and the value should match the value specified for KeyFile in the default virtual host.

Forms of SNI
There are two forms of SNI:
  1. In the first form of SNI, only a single virtual host is used, and the SSLSNIMap directive is used to map between host names and certificate labels.
    <virtualhost *:443>
  ServerName example.com
  SSLEnable SNI
  SSLServerCert default
  SSLSNIMap a.example.com sni1-rsa
  SSLSNIMap a.example.com sni1-ecc
  SSLSNIMap b.example.com sni2
</virtualhost>
  2. In the second form of SNI, a series of virtual hosts are created, and the mapping from hostnames to certificate labels is via ServerName, non-wildcard ServerAlias, and SSLServerCert. 
    <virtualhost *:443>
  ServerName example.com 
  SSLEnable SNI
</virtualhost>
<virtualhost *:443>
  ServerName a.example.com 
  SSLEnable 
  SSLServerCert sni1
</virtualhost>
<virtualhost *:443>
  ServerName b.example.com 
  ServerAlias other.example.com
  SSLEnable
  SSLServerCert sni2
</virtualhost>