[erlang-patches] Server Name Indication SSL extension

Julien Barbot <>
Sat May 12 02:16:10 CEST 2012


Here is an implementation of SSL SNI extension: RFC6066 Section 3.
- http://tools.ietf.org/html/rfc6066#section-3
- https://en.wikipedia.org/wiki/Server_Name_Indication

It's kind of VirtualHosts for SSL: One SSL server with one IP/PORT couple
can present differents SSL parameters.

To fetch:
git fetch git://github.com/klyr/otp.git <http://github.com/etrepum/otp.git>ssl

Review at:

Feel free to comment/criticize the code and the API modification choices:
- ssl:sni_hostname(Socket): to get the hostname selected by the server or
undefined if not found or not specified by the client,
- a new sni_hosts server parameter to specify per-host configuration.

Basic usage example:

Opts = [
    {certfile, "default.pem"}, {keyfile, "default.key"}, {verify,
verify_none} % Default parameters
    {sni_hosts, [
        {"vhost1.example.com", [{certfile, "vhost1.pem"}, {keyfile,
        {"vhost2.example.org", [{verify, verify_peer}]}

{ok, ListenSocket} = ssl:listen(9999, Opts),
{ok, S} = ssl:transport_accept(ListenSocket),
ok = ssl:ssl_accept(S),
SelectedHost = ssl:sni_hostname(S),
io:format("Selected Vhost: ~s~n", [SelectedHost]).

Best regards,

Julien Barbot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-patches/attachments/20120512/e5e5c393/attachment.html>

More information about the erlang-patches mailing list