[erlang-questions] ssl server multiple certificates
Andreas Schultz
aschultz@REDACTED
Tue Oct 29 10:39:05 CET 2013
Hi,
----- Original Message -----
> Hi,
>
> I would like to have some feedback about the API modification.
Ingela is the authority to ask, so just my 2 cent here....
> * Client side
> No modification, SNI is used if the connection endpoint is a hostname,
> not an ip address.
Like that
> * Server side
> A new "sni_hosts" option can override ssl options on a per-hostname
> basis: for exemple one can override the default certificate for the
> vhost1.example.com hostname with the following ssl option:
> {sni_hosts, [{"vhost1.example.com", [{certfile, "vhost1.pem"},
> {keyfile,"vhost1.key"}]}]}
What about just 'hosts', the fact that is uses SNI does not really matter.
> A new ssl:sni_hostname/1 function was added to get the wanted
> hostname, for exemple in yaws one can imagine calling this function to
> serve the website corresponding to the sni hostname.
>
> ok = ssl:ssl_accept(S),
> SelectedHost = ssl:sni_hostname(S),
Looking at the SSL API, it feels like a simple hostname/1 call would be
more in line with for example peername and sockname.
What would be the return if SNI wasn't negotiated, some kind of default,
a special atom (e.g. undefined or unknown) or {error, unknown} ?
> I recently updated the client side patch (the easier part), but need
> some time to update the patch to work with the refactored ssl library.
>
> Feedbacks are welcome ! :)
Andreas
>
> Regards,
>
> --
> Julien Barbot
>
>
> 2013/10/28 Andreas Schultz <aschultz@REDACTED>
> >
> > Hi,
> >
> > ----- Original Message -----
> > > Hi!
> > >
> > > If I remember correctly someone worked on a contribution for this, but I
> > > where in the middle of refactoring
> > > things and I think it was not quite finished.
> >
> > Found it:
> > http://erlang.org/pipermail/erlang-patches/2012-May/002787.html
> >
> > And copied the original author... would be nice to have this in R17
> >
> > Andreas
> >
> > > Since then I have not had time
> > > to follow up on it. I think it would
> > > not be too hard to add support for it, but it is not our priority at the
> > > moment, so please feel free to contribute.
> > > And it is quite ok to send in a "pre-patch" to get feed back on API
> > > choices
> > > before you make the patch conform to all patch requirements.
> > >
> > > Regards Ingela Erlang/OTP team - Ericssson AB
> > >
> > >
> > > 2013/10/25 Sergej Jurecko < sergej.jurecko@REDACTED >
> > >
> > >
> > > hello,
> > >
> > > Is it possible to host multiple ssl certificates for different domains on
> > > a
> > > single IP and port? Like nginx is capable of doing.
> > >
> > >
> > > Sergej
>
--
--
Dipl. Inform.
Andreas Schultz
More information about the erlang-questions
mailing list