What is the best option for setting up a several sites supporting SSL on the same IP?
From what I've seen "Server Name Indication" is the main way to achieve this at the moment.
One of the downsides is that older browsers won't support this so depending on the site it may not be a possibility for it to be used.
Edit: Just to update following @D.W.'s and @Piskvor's comments looks like there's a list of supported and unsupported browsers on the linked Wikipedia page now.
All popular browsers support SNI, including all versions of Internet Explorer on Windows Vista and later. Internet Explorer 6, 7, and 8 on Windows XP were the main browsers that did not support SNI, but they no longer receive security updates since April 2014.
There are two ways: either all the sites use the same certificate (in which case you need a way to make the client browser accept the certificate regardless of which site the client intended to contact), or you select the correct certificate depending on the site which the client wants to connect to (in which case you have to obtain that information some way or another).
For the first way, consider RFC 2818, which specifies what the browser actually expects from the server certificate. The browser wants to connect to a URL, which includes a server name part (after the https://
but before the next /
); the browser wants to find that name in the server certificate. The details are in section 3.1. Basically, the Subject Alt Name extension in the certificate is scanned for names of type dNSName
, and one of them must match the server name in the URL. If the Subject Alt Name extension contains no dNSName
at all, of if there is no Subject Alt Name extension in the server certificate, then the Common Name in the subjectDN
is used. The wildcard character "*
" can be used to match "any" name part, but this is not reliably supported by every browser.
Therefore, to support multiple sites on the same IP and port, use a certificate which lists all the site names in a Subject Alt Name extension. This has a few drawbacks, e.g. it reveals all the site names (one simply has to connect and look at the certificate); also, you need to get a new certificate every time you add a new site. Finally, your certificate provider might make things a bit more difficult or expensive (e.g. the free certificates from StartSSL are single-domain only; to get a certificate with multiple domains, you must pay).
The second way involves the Server Name Indication, which is an extension to SSL. When using this extension, the client announces the intended server name early enough in the handshake, so that the server can choose which certificate to use depending on what site the client wants to talk to. Unfortunately, support for SNI is not available with Internet Explorer on Windows XP, a still common combination (according to StatCounter global stats, as of October 2012, there are still more than 12% of Web users who use IE 8.0, presumably many of them on WinXP -- note that since the WinXP share is 27% of the OS, one can conclude that more than half of the WinXP users have switched to a non-IE browser). Ditching 12% of the potential site audience is a non-trivial policy decision.
Also, with SNI, the server software must support it, and be configured to use it. See this page for how to do it with Apache and mod_ssl.
Another option is to use a wildcard SSL certificate if your host names allow it.
So you'll have a certificate with CN=*.yourdomain.com covering www.yourdomain.com, mail.yourdomain.com, ftp.yourdomain.com and so on.