[erlang-questions] ssl server multiple certificates

Tue Oct 29 10:39:05 CET 2013

Hi,

----- Original Message -----
> Hi,
> 
> I would like to have some feedback about the API modification.

Ingela is the authority to ask, so just my 2 cent here....

> * Client side
> No modification, SNI is used if the connection endpoint is a hostname,
> not an ip address.

Like that

> * Server side
> A new "sni_hosts" option can override ssl options on a per-hostname
> basis: for exemple one can override the default certificate for the
> vhost1.example.com hostname with the following ssl option:
> {sni_hosts, [{"vhost1.example.com", [{certfile, "vhost1.pem"},
> {keyfile,"vhost1.key"}]}]}

What about just 'hosts', the fact that is uses SNI does not really matter.

> A new ssl:sni_hostname/1 function was added to get the wanted
> hostname, for exemple in yaws one can imagine calling this function to
> serve the website corresponding to the sni hostname.
> 
> ok = ssl:ssl_accept(S),
> SelectedHost = ssl:sni_hostname(S),

Looking at the SSL API, it feels like a simple hostname/1 call would be
more in line with for example peername and sockname.

What would be the return if SNI wasn't negotiated, some kind of default,
a special atom (e.g. undefined or unknown) or {error, unknown} ?

> I recently updated the client side patch (the easier part), but need
> some time to update the patch to work with the refactored ssl library.
> 
> Feedbacks are welcome ! :)

Andreas

> 
> Regards,
> 
> --
> Julien Barbot
> 
> 
> 2013/10/28 Andreas Schultz <aschultz@REDACTED>
> >
> > Hi,
> >
> > ----- Original Message -----
> > > Hi!
> > >
> > > If I remember correctly someone worked on a contribution for this, but I
> > > where in the middle of refactoring
> > > things and I think it was not quite finished.
> >
> > Found it:
> > http://erlang.org/pipermail/erlang-patches/2012-May/002787.html
> >
> > And copied the original author... would be nice to have this in R17
> >
> > Andreas
> >
> > > Since then I have not had time
> > > to follow up on it. I think it would
> > > not be too hard to add support for it, but it is not our priority at the
> > > moment, so please feel free to contribute.
> > > And it is quite ok to send in a "pre-patch" to get feed back on API
> > > choices
> > > before you make the patch conform to all patch requirements.
> > >
> > > Regards Ingela Erlang/OTP team - Ericssson AB
> > >
> > >
> > > 2013/10/25 Sergej Jurecko < sergej.jurecko@REDACTED >
> > >
> > >
> > > hello,
> > >
> > > Is it possible to host multiple ssl certificates for different domains on
> > > a
> > > single IP and port? Like nginx is capable of doing.
> > >
> > >
> > > Sergej
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz