From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] [PATCH] libsec, pushtls, tlssrv: add support for Server Name Indication (SNI) extension
Date: Thu, 25 Jan 2024 16:14:00 +0100 [thread overview]
Message-ID: <DBC3402753C09477A508BE6DFBE35B09@felloff.net> (raw)
In-Reply-To: <00616767145C9F32119038A94AE5BBAE@9lab.org>
> Yes. The current patch more or less just serves the function to get
> the conversation started using a working implementation that aimed at
> keeping the amount of differences to a bare minimum.
yeah, thats totally reasonable. thank you btw :)
> So the proposal is to introduce a (1) new tlsServerX() function using
> a (2) lookup interface that provides a certificate given a server
> name. The 'database' of lookup results (i.e. the certificates)
> is indexed by certificate subjects extracted from certificates that
> are passed via multiple (3) '-c arguments' to tlssrv to be matched
> against whatever is provided via the SNI extension.
i see the following options:
1) new tlsServerX() function with a callback that returns the certificate
for a given server-name.
2) new tlsServerY() function that lets you pass multiple certificates.
3) we keep tlsServer() as it is and require the user to get a multi-domain
certificate (just has multiple subjects).
for cases 1 and 2 we need to think how that would be handled by the
server in question (what i said about passing multiple -c arguments).
> Ok. I have to admit I am not entirely sure what you mean by 'expose
> the effective server name (like putenv() in tlssrv)'. Do you mean
> there is an env variable we ought to set before calling say tcp80 or
> rc-httpd that provides the effective server name tlssrv parsed via
> SNI?
yes, exactly. the service should get the effective domain negotiated
from the handshake. the whole reason this SNI complication exist is that
people ran out of ipv4 addresses and start sharing a single service
port with dozens of different domains. pushing all that muxing into
the application layer that the ip layer would normally handle. for
that muxing to be effective, the service then needs to know what
domain/serverName it is.
--
cinap
next prev parent reply other threads:[~2024-01-25 15:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-25 11:32 igor
2024-01-25 12:11 ` cinap_lenrek
2024-01-25 12:51 ` igor
2024-01-25 15:14 ` cinap_lenrek [this message]
2024-01-26 7:21 ` igor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DBC3402753C09477A508BE6DFBE35B09@felloff.net \
--to=cinap_lenrek@felloff.net \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).