How to Configure Openssl and Nginx to Support Server Name Indication (SNI)

Get the software:

* Change directory to local source directory:

cd /usr/local/src

* Get the latest openssl source tarball. (Note: As a matter of best practice you should always check the integrity of downloaded packages using signatures provided by the source obtained in a trusted manner. Those steps are skipped here for clarity):

wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz

* Get the latest nginx source tarball:

wget http://sysoev.ru/nginx/nginx-0.7.61.tar.gz

* Unpack the openssl tarball:

tar -zxvf openssl-0.9.8k.tar.tar

* Unpack the nginx tarball:

tar -zxvf nginx-0.7.61.tar.gz

Build and install openssl:

* Change directory to the openssl source directory you just unpacked at step 1 above:

cd openssl-0.9.8k

* Configure the build of openssl, supplying the configuration parameter that enables the TLS extensions. (Note: You must supply this configuration parameter. If you don’t supply this configuration parameter, even though this version of openssl supports the TLS extensions, it will not be enabled in the resulting binary and SNI will not work.):

./config enable-tlsext

* Build openssl:

make

* Install openssl:

make install

* I chose to build and install openssl without providing a custom install path, so with the next two commands I’m just renaming the old binary and copying the new binary to where my system expects it to be. Giving openssl a custom install path at build-time above would be another (probably better) way to do it:

mv /usr/bin/openssl /usr/bin/openssl.old
cp /usr/local/ssl/bin/openssl /usr/bin/openssl

Build and install nginx:

* Change directory to the nginx source directory you previously unpacked at step 1 above:

cd ../nginx-0.7.61

* Configure the build of nginx, supplying in particular that last parameter (--with-openssl=../openssl-0.9.8k/) to ensure your build is properly linked to the tls-enabled build of openssl from the previous steps:

./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body/ --http-proxy-temp-path=/var/lib/nginx/tmp/proxy/ --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi/ --with-openssl=../openssl-0.9.8k/

* Build nginx:

make

* Stop nginx if it’s running:

/etc/init.d/nginx stop

* Install nginx:

make install

* Edit /etc/nginx.conf according to your needs. Configure multiple ssl server blocks all listening on 443 with different hostnames and unique certs/keys (see nginx documentation at http://wiki.nginx.org).

* Nginx needs this directory to exist, create it if it doesn’t already exist:

mkdir -p /var/lib/nginx/tmp/client_body/

* Start nginx:

/etc/init.d/nginx start

Now, assuming that you have configured your dns zones to have your desired server names resolve to the IP address of this server, and assuming those names match the subject names of the certificates configured for each virtual server configured at step 3 above, you will now be able to access each virtual host using HTTPS from an SNI-capable browser…without SSL errors, popups, etc.

Congratulations.