Here’s how to configure TLS SNI on Gentoo, using Apache:

1) DON’T try to set up TLS SNI using mod_gnutls. When I tried it on January 30, 2009, mod_gnutls still seemed to be too experimental and unstable for reliable TLS SNI (I observed some non-deterministic behaviour).

2) It does work fine though with a reasonably current version of OpenSSL and a patched Apache mod_ssl. And here, Gentoo shines once again: With Gentoo, you don’t need to manually patch Apache or OpenSSL! All you have to do is add the “sni” use flag to Apache in /etc/portage/package.use:

www-servers/apache sni

and remerge Apache (‘emerge -auDNv apache’).

Note that Gentoo’s OpenSSL is already SNI-enabled by default (since openssl-0.9.8g-r2.ebuild) – remerge/update OpenSSL if required.

The configuration of SNI-enabled name-based virtual hosts in Apache is transparent, i.e. works the same way as for SSL-enabled, non-SNI name-based virtual hosts (of course you’ll want to use different certificates for every virtual host and specify them, as explained on Kaspar Brand’s TLS SNI test site).

Have fun!

Gentoo Bug 230211 – www-apache/mod_python-3.3.1 – connobject.c:142: error: request for member ‘next’ in something not a structure or union

(IOW: Emerge mod_python-3.3.1-r1 from your local portage overlay and restart Apache)