[Freeipa-users] Request for comments - Apache SNI via IPA with kerberos authentication

[James Hogarth]

> I'll try and replicate the blog findings in the course of the next couple of
> days .... if it works I'll add it to the wiki ...
>

Set up a test this morning using Centos 6:
nss-3.13.1-7.el6_2.x86_64
mod_nss-1.0.8-14.el6_2.x86_64

The behaviour was... odd....

SNI itself must have been working as the contents differed depending
on the domain which matched the expectation from the two virtual hosts
however there appears to remain certificate selection issues and/or
issues with respect to the the behaviour of the NSS options - only the
last NSSCertificateDatabase seemed to apply rather than be local to a
given VirtualHost (if separating certificate databases) and if in a
common database although Apache reported different nicknamed
certificates in error_log only the first NSSNickname seemed to be used
to obtain the correct certificate...

Set up a similar test on Fedora 17:
nss-3.13.4-3.fc17.x86_64
mod_nss-1.0.8-17.fc17.x86_64

Same behaviour occurred (not that surprising given the versions)....

So the short of it is ignore that blog and Rob is right - mod_nss is
not ready yet... if you want SNI  you need mod_ssl (or mod_gnutls)...
if you have FIPS etc requirements or other reasons to use mod_nss then
SNI is not at this time possible if you want valid certificates in
place...

James