[erlang-questions] ssl server multiple certificates

Andreas Schultz aschultz@REDACTED
Wed Oct 30 10:55:59 CET 2013 

Hi,

----- Original Message -----
> Hi!
> 
> 2013/10/29 Andreas Schultz <aschultz@REDACTED>
> 
> > Hi,
> >
> > ----- Original Message -----
> > > Hi,
> > >
> > > I would like to have some feedback about the API modification.
> >
> > Ingela is the authority to ask, so just my 2 cent here....
> >
> > > * Client side
> > > No modification, SNI is used if the connection endpoint is a hostname,
> > > not an ip address.
> >
> > Like that
> >
> >
> Feels good and should be ok as unknown extensions should be ignored.

After thinking about it more, it believe that we still need an option to
set the SNI hostname explicitly. I see two use cases, first contacting
a server know only be IP address but still wanting virtual host support,
and the other is upgrading an already established TCP connection to TLS
with virtual server selection within TLS.

So maybe am {virtual_host, string()} option?

Andreas

> 
> 
> 
> > > * Server side
> > > A new "sni_hosts" option can override ssl options on a per-hostname
> > > basis: for exemple one can override the default certificate for the
> > > vhost1.example.com hostname with the following ssl option:
> > > {sni_hosts, [{"vhost1.example.com", [{certfile, "vhost1.pem"},
> > > {keyfile,"vhost1.key"}]}]}
> >
> > What about just 'hosts', the fact that is uses SNI does not really matter.
> >
> >
> I agree with Andreas on this point, SNI is an implementation detail.
> Maybe virtual_hosts would be more describing of what it is actually used
> for.
> 
> 
> 
> > > A new ssl:sni_hostname/1 function was added to get the wanted
> > > hostname, for exemple in yaws one can imagine calling this function to
> > > serve the website corresponding to the sni hostname.
> > >
> > > ok = ssl:ssl_accept(S),
> > > SelectedHost = ssl:sni_hostname(S),
> >
> > Looking at the SSL API, it feels like a simple hostname/1 call would be
> > more in line with for example peername and sockname.
> >
> 
> This would be a function defined only for the server?  I like hostname!
> 
> 
> What would be the return if SNI wasn't negotiated, some kind of default,
> > a special atom (e.g. undefined or unknown) or {error, unknown} ?
> >
> >
> Maybe inet:gethostname() could be the default? So if the connection
> represents a virtual host you will get its name and otherwise you will
> get the actual hostname?!
> 
> 
> Regards Ingela Erlang/OTP team - Ericsson AB
> 
> 
> 
> > I recently updated the client side patch (the easier part), but need
> > > some time to update the patch to work with the refactored ssl library.
> > >
> > > Feedbacks are welcome ! :)
> >
> > Andreas
> >
> > >
> > > Regards,
> > >
> > > --
> > > Julien Barbot
> > >
> > >
> > > 2013/10/28 Andreas Schultz <aschultz@REDACTED>
> > > >
> > > > Hi,
> > > >
> > > > ----- Original Message -----
> > > > > Hi!
> > > > >
> > > > > If I remember correctly someone worked on a contribution for this,
> > but I
> > > > > where in the middle of refactoring
> > > > > things and I think it was not quite finished.
> > > >
> > > > Found it:
> > > > http://erlang.org/pipermail/erlang-patches/2012-May/002787.html
> > > >
> > > > And copied the original author... would be nice to have this in R17
> > > >
> > > > Andreas
> > > >
> > > > > Since then I have not had time
> > > > > to follow up on it. I think it would
> > > > > not be too hard to add support for it, but it is not our priority at
> > the
> > > > > moment, so please feel free to contribute.
> > > > > And it is quite ok to send in a "pre-patch" to get feed back on API
> > > > > choices
> > > > > before you make the patch conform to all patch requirements.
> > > > >
> > > > > Regards Ingela Erlang/OTP team - Ericssson AB
> > > > >
> > > > >
> > > > > 2013/10/25 Sergej Jurecko < sergej.jurecko@REDACTED >
> > > > >
> > > > >
> > > > > hello,
> > > > >
> > > > > Is it possible to host multiple ssl certificates for different
> > domains on
> > > > > a
> > > > > single IP and port? Like nginx is capable of doing.
> > > > >
> > > > >
> > > > > Sergej
> > >
> >
> > --
> > --
> > Dipl. Inform.
> > Andreas Schultz
> >
> 

-- 
-- 
Dipl. Inform.
Andreas Schultz

email: as@REDACTED
phone: +49-391-819099-224
mobil: +49-170-2226073

------------------- enabling your networks -------------------

Travelping GmbH               phone:         +49-391-819099229
Roentgenstr. 13               fax:           +49-391-819099299
D-39108 Magdeburg             email:       info@REDACTED
GERMANY                       web:   http://www.travelping.com

Company Registration: Amtsgericht Stendal Reg No.:   HRB 10578
Geschaeftsfuehrer: Holger Winkelmann | VAT ID No.: DE236673780
--------------------------------------------------------------

More information about the erlang-questions mailing list