Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 82761
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: karel.miko [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Server side SNI support
Date: Wed, 16 Jan 2013 19:51:47 +0100
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Karel Miko <karel.miko [...] gmail.com>
Download (untitled) / with headers
text/plain 613b
Hi, Net::SSLeay has server side SNI support since 1.50 http://search.cpan.org/~mikem/Net-SSLeay-1.52/lib/Net/SSLeay.pod#Low_level_API:_Server_side_Server_Name_Indication_%28SNI%29_support Please find enclosed proposal for adding server side SNI also to IO::Socket::SSL. It is implemented via a new option: SSL_server_SNI => { 'host1.domain.com' => ['h1.crt', 'h1.key'], 'host2.domain.com' => ['h2.crt', 'h2.key'] } or SSL_server_SNI => sub { my $host = shift; ...; return ($certfile, $keyfile) }, If you find my proposal handy I can write a piece of documentation for this new feature. Regards -- Karel

Message body is not shown because sender requested not to inline it.

Download (untitled) / with headers
text/plain 975b
Show quoted text
> > Please find enclosed proposal for adding server side SNI also to > IO::Socket::SSL.
Hi Karel, thanks for the patch. Although I implemented it in a different way, I was inspired by your patch and motivated, that someone needs this feature. The main difference to your patch is, that I did not add a new option, but instead let SSL_key* and SSL_cert* use a hash reference to provide the mapping between hostname and key/cert. The creation of the context per host is then done at configure time, and not when a client connects. I liked this approach more, because you get any problems with the keys or cert reported earlier. Also, not only cert and key files are supported, but also cert and key values (e.g. X509* and PKEY* objects). The drawback of this approach is, that I don't offer a callback function, which determines cert and key when the client connects. This might be added in the future, but currently I don't see much value in it. Thanks again, Steffen


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.