kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

adding ssl.conf for apache + updateTrigger() when a new cert arrives to update sub_domaines

This commit is contained in:
Benjamin Sonntag 2015-02-13 11:38:27 +01:00
parent 73b41264f1
commit 5a0280607f
5 changed files with 164 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/alternc-ssl.dirs vendored
View File

@ -1,4 +1,4 @@
etc/alternc/templates/apache2
etc/alternc/templates/apache2/mods-available
etc/apache2/conf.d
usr/lib/alternc/install.d
usr/share/alternc/install

14
ssl/alternc-ssl.install.php
View File

@ -5,11 +5,17 @@
synchronize the required domain templates with the current install
(do they have php52, roundcube, squirrelmail, etc.?)
*/
if ($argv[1] == "templates") {
// install ssl.conf
echo "[alternc-ssl] Installing ssl.conf template\n";
copy("/etc/alternc/templates/apache2/mods-available/ssl.conf","/etc/apache2/mods-available/ssl.conf");
}
if ($argv[1] == "before-reload") {
// Bootstrap
require_once("/usr/share/alternc/panel/class/config_nochk.php");
echo "[alternc-ssl] Installing domaines-types\n";
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('vhost-ssl', 'Locally hosted forcing HTTPS', 'DIRECTORY', '%SUB% IN A @@PUBLIC_IP@@', 'vhost,url,txt,defmx,defmx2,mx,mx2', 'ALL', 0, 0, 0);");
@ -19,7 +25,7 @@ if ($argv[1] == "before-reload") {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('panel-ssl', 'AlternC panel access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'ip,ipv6,cname,txt,mx,mx2,defmx,defmx2', 'ALL', 0, 0, 1);");
$db - query("SELECT * FROM domaines_type WHERE name='roundcube';");
$db->query("SELECT * FROM domaines_type WHERE name='roundcube';");
if ($db->next_record()) {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('roundcube-ssl', 'Roundcube Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt', 'ALL', 0, 0, 1;");
@ -28,7 +34,7 @@ if ($argv[1] == "before-reload") {
$db->query("UPDATE sub_domaines SET web_action='DELETE' WHERE type='roundcube-ssl';");
}
$db - query("SELECT * FROM domaines_type WHERE name='squirrelmail';");
$db->query("SELECT * FROM domaines_type WHERE name='squirrelmail';");
if ($db->next_record()) {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('squirrelmail-ssl', 'Squirrelmail Webmail access WITH SSL', 'NONE', '%SUB% IN A @@PUBLIC_IP@@', 'mx,mx2,defmx,defmx2,txt', 'ALL', 0, 0, 1);");
@ -37,7 +43,7 @@ if ($argv[1] == "before-reload") {
$db->query("UPDATE sub_domaines SET web_action='DELETE' WHERE type='squirrelmail-ssl';");
}
$db - query("SELECT * FROM domaines_type WHERE name='php52';");
$db->query("SELECT * FROM domaines_type WHERE name='php52';");
if ($db->next_record()) {
$db->query("INSERT IGNORE INTO `domaines_type` (name, description, target, entry, compatibility, enable, only_dns, need_dns, advanced ) VALUES
('php52-ssl', 'php52 forcing HTTPS', 'DIRECTORY', '%SUB% IN A @@PUBLIC_IP@@', 'vhost,url,txt,defmx,defmx2,mx,mx2', 'ALL', 0, 0, 0);");
@ -69,6 +75,4 @@ if ($argv[1] == "before-reload") {
fclose($f);
}
}
} // before-reload

4
ssl/hosting_vhost-ssl.sh
View File

@ -30,7 +30,7 @@ if ( ($argv[1]=="create" || $argv[1]=="postinst" || $argv[1]=="delete") ) {
print_r($argv);
exit();
}
$ssl->update_domain($argv[1], $argv[2], $argv[3], $argv[4]);
$ssl->updateDomain($argv[1], $argv[2], $argv[3], $argv[4]);
exit();
}
if ( ($argv[1]=="enable" || $argv[1]=="disable") ) {
@ -39,7 +39,7 @@ if ( ($argv[1]=="enable" || $argv[1]=="disable") ) {
print_r($argv);
exit();
}
$ssl->update_domain($argv[1], $argv[2], $argv[3] );
$ssl->updateDomain($argv[1], $argv[2], $argv[3] );
exit();
}

103
ssl/panel/class/m_ssl.php
View File

@ -36,19 +36,19 @@ class m_ssl {
public $error = "";
// Includes one or more of those flags to see only those certificates
// when listing them:
// Includes one or more of those flags to see only those certificates
// when listing them:
const FILTER_PENDING = 1;
const FILTER_OK = 2;
const FILTER_EXPIRED = 4;
const FILTER_SHARED = 8;
const SSL_INCRON_FILE = "/var/run/alternc/ssl/generate_certif_alias";
var $myDomainesTypes = array("vhost-ssl", "url-ssl", "panel-ssl", "roundcube-ssl", "squirrelmail-ssl");
var $myDomainesTypes = array("vhost-ssl", "vhost-mixssl", "panel-ssl", "roundcube-ssl", "squirrelmail-ssl","php52-ssl","php52-mixssl");
const KEY_REPOSITORY = "/var/lib/alternc/ssl/private";
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/**
* Constructor
*/
@ -56,7 +56,7 @@ class m_ssl {
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/**
* Hook to add the "ssl certificate" menu in the Panel
*/
@ -82,7 +82,7 @@ class m_ssl {
);
}
// or admin shared >0 !
// or admin shared >0 !
$db->query("SELECT COUNT(*) AS cnt FROM certificates WHERE uid='$cuid' OR shared=1");
$used = $q['u'];
if ($db->next_record()) {
@ -98,7 +98,7 @@ class m_ssl {
return $obj;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Return all the SSL certificates for an account (or the searched one)
* @param $filter an integer telling which certificate we want to see (see FILTER_* constants above)
* the default is showing all certificate, but only Pending and OK certificates, not expired or shared one
@ -110,7 +110,7 @@ class m_ssl {
global $db, $err, $cuid;
$err->log("ssl", "get_list");
$r = array();
// If we have no filter, we filter by default on pending and ok certificates if there is more than 10 of them for the same user.
// If we have no filter, we filter by default on pending and ok certificates if there is more than 10 of them for the same user.
if (is_null($filter)) {
$db->query("SELECT count(*) AS cnt FROM certificates WHERE uid='$cuid' OR shared=1;");
$db->next_record();
@ -120,9 +120,9 @@ class m_ssl {
$filter = (self::FILTER_PENDING | self::FILTER_OK | self::FILTER_EXPIRED | self::FILTER_SHARED);
}
}
// filter the filter values :)
// filter the filter values :)
$filter = ($filter & (self::FILTER_PENDING | self::FILTER_OK | self::FILTER_EXPIRED | self::FILTER_SHARED));
// Here filter can't be null (and will be returned to the caller !)
// Here filter can't be null (and will be returned to the caller !)
$sql = "";
if ($filter & self::FILTER_SHARED) {
$sql = " (uid='$cuid' OR shared=1) ";
@ -152,7 +152,7 @@ class m_ssl {
}
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Generate a new CSR, a new Private RSA Key, for FQDN.
* @param $fqdn string the FQDN of the domain name for which we want a CSR.
* a wildcard certificate must start by *.
@ -183,7 +183,7 @@ class m_ssl {
return false;
}
$dn = array("commonName" => $fqdn);
// override the (not taken from openssl.cnf) digest to use SHA-2 / SHA256 and not SHA-1 or MD5 :
// override the (not taken from openssl.cnf) digest to use SHA-2 / SHA256 and not SHA-1 or MD5 :
$config = array("digest_alg" => "sha256");
$csr = openssl_csr_new($dn, $pkey, $config);
$csrout = "";
@ -196,7 +196,7 @@ class m_ssl {
return $id;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Return all informations of a given certificate for the current user.
* @return array all the informations of the current certificate as a hash.
*/
@ -212,7 +212,7 @@ class m_ssl {
return $db->Record;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Share (or unshare) an ssl certificate
* @param $id integer the id of the certificate in the table.
* @param $action integer share (1) or unshare (0) this certificate
@ -222,13 +222,14 @@ class m_ssl {
global $db, $err, $cuid;
$err->log("ssl", "share");
$id = intval($id);
$db->query("SELECT id FROM certificates WHERE uid='$cuid' AND status=" . self::STATUS_OK . " AND id='$id';");
$db->query("SELECT * FROM certificates WHERE uid='$cuid' AND status=" . self::STATUS_OK . " AND id='$id';");
if (!$db->next_record()) {
$err->raise("ssl", _("Can't find this Certifcate"));
return false;
}
if ($action) {
$action = 1;
$this->updateTrigger($db->Record["fqdn"],$db->Record["altnames"]);
} else {
$action = 0;
}
@ -236,7 +237,7 @@ class m_ssl {
return true;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Return all the subdomains that can be ssl-enabled for the current account.
* @return array of strings : all the subdomains.
* Excludes the one for which a cert is already available
@ -245,7 +246,7 @@ class m_ssl {
global $db, $err, $cuid;
$err->log("ssl", "get_new_advice");
$r = array();
// my certificates, either OK or PENDING (not expired) or the SHARED one (only OK then)
// my certificates, either OK or PENDING (not expired) or the SHARED one (only OK then)
$db->query("SELECT fqdn FROM certificates WHERE
(uid='$cuid' AND status IN (" . self::STATUS_PENDING . "," . self::STATUS_OK . ") )
OR (shared=1 AND status=" . self::STATUS_OK . ")
@ -254,7 +255,7 @@ class m_ssl {
while ($db->next_record()) {
$r[] = $db->f("fqdn");
}
// Now we get all our subdomains for certain domaines_types
// Now we get all our subdomains for certain domaines_types
$db->query("SELECT sub,domaine FROM sub_domaines WHERE compte='$cuid' AND type IN ('vhost', 'url', 'roundcube', 'squirrelmail', 'panel', 'php52');");
$advice = array();
while ($db->next_record()) {
@ -274,7 +275,7 @@ class m_ssl {
return($advice);
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Import an existing ssl Key, Certificate and (maybe) a Chained Cert
* @param $key string the X.509 PEM-encoded RSA key
* @param $crt string the X.509 PEM-encoded certificate, which *must*
@ -299,17 +300,18 @@ class m_ssl {
$fqdn = $crtdata["subject"]["CN"];
$altnames = $this->parseAltNames($crtdata["extensions"]["subjectAltName"]);
// Everything is PERFECT and has been thoroughly checked, let's insert those in the DB !
// Everything is PERFECT and has been thoroughly checked, let's insert those in the DB !
$sql = "INSERT INTO certificates SET uid='$cuid', status=" . self::STATUS_OK . ", shared=0, fqdn='" . addslashes($fqdn) . "', altnames='" . addslashes($altnames) . "', validstart=FROM_UNIXTIME(" . intval($validstart) . "), validend=FROM_UNIXTIME(" . intval($validend) . "), sslkey='" . addslashes($key) . "', sslcrt='" . addslashes($crt) . "', sslchain='" . addslashes($chain) . "';";
$db->query($sql);
if (!($id = $db->lastid())) {
$err->raise("ssl", _("Can't save the Key/Crt/Chain now. Please try later."));
return false;
}
$this->updateTrigger($fqdn,$altnames);
return $id;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Import an ssl certificate into an existing certificate entry in the DB.
* (finalize an enrollment process)
* @param $certid integer the ID in the database of the SSL Certificate
@ -336,16 +338,17 @@ class m_ssl {
$fqdn = $crtdata["subject"]["CN"];
$altnames = $this->parseAltNames($crtdata["extensions"]["subjectAltName"]);
// Everything is PERFECT and has been thoroughly checked, let's insert those in the DB !
// Everything is PERFECT and has been thoroughly checked, let's insert those in the DB !
$sql = "UPDATE certificates SET status=" . self::STATUS_OK . ", shared=0, fqdn='" . addslashes($fqdn) . "', altnames='" . addslashes($altnames) . "', validstart=FROM_UNIXTIME(" . intval($validstart) . "), validend=FROM_UNIXTIME(" . intval($validend) . "), sslcrt='" . addslashes($crt) . "', sslchain='" . addslashes($chain) . "' WHERE id='$certid' ;";
if (!$db->query($sql)) {
$err->raise("ssl", _("Can't save the Crt/Chain now. Please try later."));
return false;
}
$this->updateTrigger($fqdn,$altnames);
return $certid;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Function called by a hook when an AlternC member is deleted.
* @access private
* TODO: delete unused ssl certificates ?? > do this in the crontab.
@ -357,7 +360,7 @@ class m_ssl {
return true;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Hook which returns the used quota for the $name service for the current user.
* @param $name string name of the quota
* @return integer the number of service used or false if an error occured
@ -374,14 +377,32 @@ class m_ssl {
return $q;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Launched by functions in this class
* when a certificate is validated, expired or shared.
* so that existing vhost using expired or self-signed certificates
* may have the chance to use a proper one automagically
* @param string $fqdn the FQDN of the certificate
* @param string $altnames any alternative names this certificate may have.
*/
public function updateTrigger($fqdn, $altnames = "") {
global $db;
$fqdns = array($fqdn);
$an = explode("\n", $altnames);
foreach ($an as $a)
if (trim($a))
$fqdns[] = trim($a);
$db->query("UPDATE sub_domaines SET web_action='UPDATE' WHERE if(LENGTH(sub)>0,CONCAT(sub,'.',domaine),domaine) IN ('" . implode("','", $fqdns) . "');");
}
// -----------------------------------------------------------------
/** Launched by hosting_functions.sh launched by update_domaines.sh
* Action may be create/postinst/delete/enable/disable
* Change the template for this domain name to have the proper CERTIFICATE
* An algorithm determine the best possible certificate, which may be a BAD one
* (like a generic admin-shared or self-signed for localhost as a last chance)
*/
public function update_domain($action, $type, $fqdn, $mail = 0, $value = "") {
public function updateDomain($action, $type, $fqdn, $mail = 0, $value = "") {
global $db, $err;
$err->log("ssl", "update_domain($action,$type,$fqdn)");
if (!in_array($type, $this->myDomainesTypes)) {
@ -408,8 +429,6 @@ class m_ssl {
// found and $db point to it:
$subdom = $db->Record;
$TARGET_FILE = "/var/lib/alternc/apache-vhost/" . substr($subdom["compte"], -1) . "/" . $subdom["compte"] . "/" . $fqdn . ".conf";
// DEBUG
echo "TARGET_FILE:".$TARGET_FILE."\n";
$cert = $this->searchBestCert($subdom["compte"], $fqdn);
// DEBUG echo "Return from searchBestCert(" . $subdom["compte"] . "," . $fqdn . ") is "; print_r($cert);
// Save crt/key/chain into KEY_REPOSITORY
@ -433,7 +452,7 @@ class m_ssl {
} // action==create
}
// --------------op---------------------------------------------------
// ----------------------------------------------------------------
/** Search for the best certificate for a user and a fqdn
* Return a hash with sslcrt, sslkey and maybe sslchain.
* return ANYWAY : if necessary, return a newly created (and stored in KEY_REPOSITORY localhost self-signed certificate...
@ -449,7 +468,7 @@ class m_ssl {
. "AND (fqdn='" . $fqdn . "' OR fqdn='" . $wildcard . "' OR altnames LIKE '%" . $fqdn . "%') "
. "ORDER BY (validstart<=NOW() AND validend>=NOW()) DESC, validstart DESC ");
while ($db->next_record()) {
if ($db->fqdn == $fqdn) {
if ($db->Record["fqdn"] == $fqdn) {
return $db->Record;
}
$altnames = explode("\n", $db->Record["altnames"]);
@ -465,7 +484,7 @@ class m_ssl {
return $crt;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Export every information for an AlternC's account
* @access private
* EXPERIMENTAL 'sid' function ;)
@ -486,7 +505,7 @@ class m_ssl {
return $str;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Returns the list of alternate names of an X.509 SSL Certificate
* from the attribute list.
* @param $str string the $crtdata["extensions"]["subjectAltName"] from openssl
@ -501,7 +520,7 @@ class m_ssl {
}
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Add (immediately) a global alias to the HTTP
* certif_alias table and add it to apache configuration
* by launching a incron action.
@ -523,7 +542,7 @@ class m_ssl {
return true;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Removes (immediately) a global alias to the HTTP
* certif_alias table and add it to apache configuration
* by launching a incron action.
@ -542,7 +561,7 @@ class m_ssl {
return true;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
/** Check that a crt is a proper certificate
* @param $crt string an SSL Certificate
* @param $chain string is a list of certificates
@ -553,14 +572,14 @@ class m_ssl {
*/
function check_cert($crt, $chain, $key = "", $certid = null) {
global $db;
// Check that the key crt and chain are really SSL certificates and keys
// Check that the key crt and chain are really SSL certificates and keys
$crt = trim(str_replace("\r\n", "\n", $crt)) . "\n";
$key = trim(str_replace("\r\n", "\n", $key)) . "\n";
$chain = trim(str_replace("\r\n", "\n", $chain)) . "\n";
$this->error = "";
if (trim($key) == "" && !is_null($certid)) {
// find it in the DB :
// find it in the DB :
$db->query("SELECT sslkey FROM certificates WHERE id=" . intval($certid) . ";");
if (!$db->next_record()) {
$this->error.=_("Can't find the private key in the certificate table, please check your form.");
@ -589,7 +608,7 @@ class m_ssl {
return false;
}
// We split the chained certificates in individuals certificates :
// We split the chained certificates in individuals certificates :
$chains = array();
$status = 0;
$new = "";
@ -611,8 +630,8 @@ class m_ssl {
$new.=$line . "\n";
}
}
// here chains contains all the ssl certificates in the chained certs.
// Now we check those using Openssl functions (real check :) )
// here chains contains all the ssl certificates in the chained certs.
// Now we check those using Openssl functions (real check :) )
$rchains = array();
$i = 0;
foreach ($chains as $tmpcert) {
@ -635,13 +654,13 @@ class m_ssl {
$this->error.=_("The private key is invalid.") . "\n";
}
if (!$this->error) {
// check that the private key and the certificates are matching :
// check that the private key and the certificates are matching :
if (!openssl_x509_check_private_key($rcrt, $rkey)) {
$this->error.=_("The private key is not the one signed inside the certificate.") . "\n";
}
}
if (!$this->error) {
// Everything is fine, let's recreate crt, chain, key from our internal OpenSSL structures:
// Everything is fine, let's recreate crt, chain, key from our internal OpenSSL structures:
if (!openssl_x509_export($rcrt, $crt)) {
$this->error.=_("Can't export your certificate as a string, please check its syntax.") . "\n";
}

91
ssl/ssl.conf Normal file
View File

@ -0,0 +1,91 @@
# ############################################################################
# WARNING : this file is overwritten by alternc.install.
# Edit /etc/alternc/templates/apache2/mods-available/ instead.
# ############################################################################
<IfModule mod_ssl.c>
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM
# Other possible ciphersuite (requires wheezy-version of apache2 at least)
#SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
#SSLProtocol all -SSLv2
SSLProtocol all -SSLv2 -SSLv3
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
SSLStrictSNIVHostCheck Off
</IfModule>