Traditionally for every SSL certificate issued, you needed a separate and unique IP address. However if you compile OpenSSL and NginX with TLS SNI (Server Name Identification) support you can install multiple SSL certificates without having to bind a domain name to a specific IP address or require each certificate to have its own unique IP.
First thing we need to do is actually compile OpenSSL with TLS SNI support. We’ll start by downloading the latest source and unpacking it into a temporary directory. For this article I keep all sources in ~/src.
$ cd ~/src $ wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz $ tar zxvf ./openssl-0.9.8l.tar.gz $ cd ./openssl-0.9.8l
We’ll then configure with TLS support:
$ ./config enable-tlsext $ make $ make install $ cd ..
Assuming the Nginx source also resides in ~/src you can add the following option to your configure statement when compiling Nginx from source (you can also instead use an absolute path such as /root/src/openssl-0.9.8l/).
--with-openssl=../openssl-0.9.8l/
Once compiled and installed you can check to see if TLS SNI is enabled:
[root@host src]# nginx -V nginx version: nginx/0.8.31 built by gcc 4.1.2 20080704 (Red Hat 4.1.2-46) TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --add-module=/usr/local/lib/ruby/gems/1.9.1/gems/passenger-2.2.5/ext/nginx --pid-path=/usr/local/nginx/logs/nginx.pid --sbin-path=/usr/local/sbin/nginx --with-md5=/usr/lib --with-sha1=/usr/lib --with-http_ssl_module --with-http_realip_module --with-http_gzip_static_module --with-openssl=/root/src/openssl-0.9.8l/
From there you will no longer be required to have an SSL enabled server block on it’s own unique IP. You won’t even have to have the block listening to a specific IP either since now OpenSSL will handle the certificate validation based on the server name.
Note that Windows XP clients do not support SNI.
Hey, Tim, SNI works great on Windows XP with Opera and Firefox!!!