Mar
2009
SSL, IP addresses, and ports
This follow-up to my post about SSL and IP addresses covers using SSL with multiple ports on the same IP address. We often use alternate port numbers to provide test versions of a host or application, since just changing the port number keeps the ServerName the same.
It’s very straightforward to set up Apache with an alternate port number by telling Apache to listen on the alternate port. If you’re going to use port 444, httpd.conf should contain:
Listen 444
after which you can duplicate your SSL <VirtualHost> block with one which contains :444 instead of :443. You should also make any necessary changes within the block to make the two virtual hosts act as you desire; changing DocumentRoot is a common one. If you are using multiple virtual servers on the alternate port (and the same IP address), you’ll need to use NameVirtualHost hostname:444 to let Apache know, but at least one of the virtual hosts will receive an SSL certificate error.
Using multiple ports is one way to use different SSL certificates on the same IP address. This works because different certs will be bound to the two IP/port combinations. The URLs would look like:
https://www.a.com/
https://www.b.com:444/
If you connect to http://www.a.com on port 444 or http://www.b.com on the default port 443 you will receive the SSL cert mismatch dialog box.
Using alternate port numbers, you need to be more careful with how URLs are generated. Normally you only need to change the method field (http to https) to switch to SSL, but those methods imply the default ports (80 for http, 443 for https). You need to be sure the URL explicitly specifies any alternate port number in order to reach the correct virtual server. It’s often easier to just make all connections go over SSL when using an alternate port number.
As mentioned, we normally only use alternate ports for test versions of an application, since the added port number complicates the URLs. When possible, we prefer to slightly change the URI (the part after the hostname) to point to the test version of the application, so the test version of https://application.washington.edu/appname/ could be https://application.washington.edu/appnametest/.
We use multiple IP addresses if we need more than one SSL certificate, again to avoid having the port number in the URL.
Update 1/20/2011: Prices for certificates with Subject Alternate Names (documentation for OpenSSL) are much more competitive now, so we have begun to use those instead of individual certs. This allows us to use more than one name on an individual IP address.
whats my ip
July 14, 2011 at 11:25 am (13 years ago)This is a great post on SSL ports. I have had lots of hangups getting with our server. Thanks
Brenelyn
November 21, 2012 at 12:33 am (11 years ago)Hi! Thank you for this post! It helped a lot!
But I just wanna ask if this means that I should use single SSL certificate with one port? Is there any offer by the providers of SSL certificates that I can use single SSL certificate to many ports? By the way, we wanted to use this with WCF. Thank you so much in advance.
fmf
November 22, 2012 at 2:04 pm (11 years ago)As long as you have the same name (either “www.a.com” or “www.b.com” in the example above, but not both) then you can use the SSL certificate with the one name for multiple ports. So https://www.a.com/ and https://www.a.com:444/ should be fine.
However, using a cert with Subject Alternate Names (SANs) allows you to use multiple names on the same cert, so you can be listening on the same port with different names.
Brenelyn
November 22, 2012 at 6:31 pm (11 years ago)Can I use this with same IP addresses? Like 0.0.0.0:443 and 0.0.0.0:444?
And for https, can i use any port number instead of the default port 443?
fmf
November 22, 2012 at 7:02 pm (11 years ago)As for port numbers for HTTPS, yes, you can use any port number, as long as that port is configured for SSL. And as far as the IP addresses are concerned, it doesn’t matter what address you use the certificate on as long as the name(s) on the cert matches the name(s) used to access the web server.