Bug 1295490

Summary: [RFE] Add server-side Server Name Indication (SNI) support
Product: Red Hat Enterprise Linux 6 Reporter: Robert Bost <rbost>
Component: mod_nssAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: high Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: high    
Version: 6.6CC: akasurde, aogburn, arubin, brian, cww, dpal, emaldona, eparis, jorton, kengert, mharmsen, mhernon, nkinder, qe-baseos-security, rbost, rcritten, rrelyea, salmy
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: mod_nss-1.0.10-5.el6 Doc Type: Release Note
Doc Text:
mod_nss now supports server-side SNI This update adds server-side Server Name Indication (SNI) support to the *mod_nss* package.
 Story Points: ---
Clone Of: 1053327
: 1400745 (view as bug list) Environment:
Last Closed: 2016-05-10 19:41:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1053327    
Bug Blocks: 101652    
Attachments:
Description Flags
Configuration file diff to add an SNI virtualhost
none
console.log none

Comment 10 Matthew Harmsen 2016-01-19 04:19:57 UTC 
I applied the patches and configuration file changes per the procedure in the email, and built and installed the SNI-aware mod_nss.

I returned the email with more "verbose" instructions to make it easier for developers and QE to replicate the test.

If the question regarding the two "HTTP/1.1 403 Forbidden" errors are the expected error codes for the two examples, then ACK.
Comment 11 Rob Crittenden 2016-01-19 15:45:22 UTC 
Instructions for testing.

Set up a separate location to serve the SNI data:

# mkdir /var/www/sni1
# vi /var/www/sni1/index.html
<html>
<body>
<h1>SNI Works!</h1>
</body>
</html>

Create basic content for the web server:

# vi /var/www/html/index.html
<html>
<body>
<h1>Welcome to Apache</h1>
</body>
</html>

Update /etc/hosts and add in www1.example.com and www2.example.com as an alias for your host IP (or use DNS if you'd rather).

# service httpd stop

Generate a new cert. You can add -z </path/to/some/file> to not require user interaction:

# certutil -d /etc/httpd/alias -S -n "Server-Cert-www1.example.com" -s "CN=www1.example.com,O=example.com,C=US" -c "cacert" -t "u,u,u" --nsCertType sslServer --keyUsage keyEncipherment -8 www1.example.com

Create a PEM copy of the CA:
# certutil -d /etc/httpd/alias -L -n cacert -a > /etc/httpd/alias/ca.pem

Apply the attached diff to /etc/httpd/conf.d/nss.conf to add in the SNI configuration.

# service httpd start

Test basic SSL support:

# curl --cacert /etc/httpd/alias/ca.pem -v https://`hostname`:8443/

Your output should be a 200 status and contain "Welcome to Apache"

Logs should be something like:

[date] [debug] nss_engine_init.c(1883): SNI: Found nickname Server-Cert for vhost: somehost
[date] [debug] nss_engine_init.c(1905): SNI: Successfully paired vhost somehost with nickname: Server-Cert
[date] [debug] nss_engine_kernel.c(93): SNI request for somehost

Test SNI:

# curl --cacert /etc/httpd/alias/ca.pem -v https://www1.example.com:8443/

Your output should be a 200 status and contain "SNI Works!"

Logs should be something like:

[date] [debug] nss_engine_init.c(1883): SNI: Found nickname Server-Cert-www1.example.com for vhost: www1.example.com
[date] [debug] nss_engine_init.c(1905): SNI: Successfully paired vhost www1.example.com with nickname: Server-Cert-www1.example.com

Test an SNI request for a VH that isn't configured:

# curl -kv https://www2.example.com:8443/

You should get "Welcome to Apache" as it should fall back to the default VH.

Logs should look something like:

[date] [debug] nss_engine_init.c(1860): SNI: No matching SSL virtual host for servername www2.example.com found (using default/first virtual host)
[date] [debug] nss_engine_kernel.c(93): SNI request for www2.example.com
[Tue Jan 19 10:35:04 2016] [info] Initial (No.1) HTTPS request received for child 4 (server somehost:8443)

Most of the SNI-related logging with SNI: so it should be easy to pull out of the logs
Comment 12 Rob Crittenden 2016-01-19 15:46:14 UTC 
Created attachment 1116259 [details]
Configuration file diff to add an SNI virtualhost
Comment 14 Abhijeet Kasurde 2016-02-18 08:52:16 UTC 
Verified using mod_nss version::
mod_nss-1.0.10-5.el6.x86_64

See attachment for steps and console log.
Comment 15 Abhijeet Kasurde 2016-02-18 08:52:50 UTC 
Created attachment 1128165 [details]
console.log
Comment 22 errata-xmlrpc 2016-05-10 19:41:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0751.html