Article delegate-en/4642 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4641@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: 2 https certificates running on the same delegate host.
17 Nov 2009 02:20:11 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4641@delegate-en.ML_> on 11/17/09(10:26:59)
you Huirong Wang <pd4jabdyi-hugik5syg5xr.ml@ml.delegate.org> wrote:
 |As I know there is too much restriction with the browser for supporting SNI, it's not practical for our end user. 
 |
 |Before introducing certificates naming with the new version, Could I know the details of how to use the STLS parameter with "connMap" and "-cert" option to achieve it? which delegate version does it require?

Please read the reference manual if you are interested in it.
I made the enclosed patch which enables selecting a certificate for
each incoming network interface as follows:

  DGROOT/etc/certs/sva.127.0.0.1.pem
  DGROOT/etc/certs/sva.192.168.1.1.pem
  ...

With the patch and certificates name as above, and with the TLSCONF="-vd"
option, you will see the log as follows: 

11/17 11:14:44.57 [12087] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
11/17 11:14:44.57 [12087] 1+1: ## SSLway start
11/17 11:14:44.57 [12087] 1+1: ## SSLway reuse ctx #2088594664 C0A220
11/17 11:14:44.57 [12087] 1+1: ## SSLway -- net-if cert [sva.127.0.0.1.pem] or [sva.127.0.0.1.pem]
11/17 11:14:44.57 [12087] 1+1: ## SSLway -- net-if cert found [.../delegate/etc/certs/sva.127.0.0.1.pem]
11/17 11:14:44.58 [12087] 1+1: ## SSLway certchain loaded: .../delegate/etc/certs/sva.127.0.0.1.pem
11/17 11:14:44.58 [12087] 1+1: ## SSLway keyfile loaded: .../delegate/etc/certs/sva.127.0.0.1.pem

11/17 11:15:47.78 [12098] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
11/17 11:15:47.78 [12098] 1+1: ## SSLway start
11/17 11:15:47.78 [12098] 1+1: ## SSLway reuse ctx #2088594664 C0A110
11/17 11:15:47.78 [12098] 1+1: ## SSLway -- net-if cert [sva.192.168.1.1.pem] or [sva.192.168.1.1.pem]
11/17 11:15:47.78 [12098] 1+1: ## SSLway -- net-if cert found [.../delegate/etc/certs/sva.192.168.1.1.pem]
11/17 11:15:47.79 [12098] 1+1: ## SSLway certchain loaded: .../delegate/etc/certs/sva.192.168.1.1.pem
11/17 11:15:47.79 [12098] 1+1: ## SSLway keyfile loaded: .../delegate/etc/certs/sva.192.168.1.1.pem


Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


diff -cr dist/src/delegate9.9.6-pre2/filters/sslway.c ./filters/sslway.c
*** dist/src/delegate9.9.6-pre2/filters/sslway.c	Fri Sep 11 04:38:20 2009
--- ./filters/sslway.c	Tue Nov 17 11:04:17 2009
***************
*** 724,729 ****
--- 724,731 ----
  static const char *CERTF_CLP  = "to-cl.%s.pem"; /* to be shown to the client %s */
  static const char *CERTF_SNI  = "sn.%s.pem";    /* SNI */
  static const char *CERTF_NIF  = "if.%s.pem";    /* for the network interface */
+ static const char *CERTF_CLA  = "cla.%s.pem";   /* for outgoing net-if */
+ static const char *CERTF_SVA  = "sva.%s.pem";   /* for incoming net-if */
  
  static const char *CERTF_SVCA = "ca-sv.pem";
  static const char *CERTD_SVCA = "ca-sv";
***************
*** 1948,1953 ****
--- 1950,1977 ----
  		SSL_set_tlsext_host_name(conSSL,vhost);
  	}
  }
+ int VSA_getsockname(int sock,VSAddr *vsa);
+ const char *VSA_ntoa(VSAddr *sap);
+ static void set_ifcert(SSL_CTX *ctx,int sock,int clnt){
+ 	const char *addr;
+ 	VSAddr vsa;
+ 	IStr(nif,256);
+ 	IStr(sva,256);
+ 	IStr(path,256);
+ 
+ 	if( VSA_getsockname(sock,&vsa) == 0 )
+ 	if( addr = VSA_ntoa(&vsa) ){
+ 		sprintf(nif,CERTF_NIF,addr);
+ 		sprintf(sva,CERTF_SVA,addr);
+ 		DEBUG("-- net-if cert [%s] or [%s]",sva,nif);
+ 		if( !clnt && findcert(sva,AVStr(path),0)
+ 		 || findcert(nif,AVStr(path),0)
+ 		){
+ 			DEBUG("-- net-if cert found [%s]",path);
+ 			setcert1(ctx,path,path,clnt);
+ 		}
+ 	}
+ }
  static int ssl_dfltCAs(SSL_CTX *ctx,int clnt){
  	IStr(file,1024);
  	IStr(cdir,1024);
***************
*** 3338,3343 ****
--- 3362,3368 ----
  		}
  
  		if( 0 <= accfd ){
+ 			set_ifcert(ctx,accfd,0);
  			SSL_CTX_set_tlsext_servername_callback(ctx,get_vhost);
  		accSSL = ssl_acc(ctx,accfd);
  		if( accSSL == NULL )
diff -cr dist/src/delegate9.9.6-pre2/rary/vsaddr.c ./rary/vsaddr.c
*** dist/src/delegate9.9.6-pre2/rary/vsaddr.c	Sun Sep  6 17:23:12 2009
--- ./rary/vsaddr.c	Tue Nov 17 10:22:34 2009
***************
*** 99,104 ****
--- 99,109 ----
  			return 1;
  	return 0;
  }
+ int VSA_getsockname(int sock,VSAddr *vsa){
+ 	int len;
+ 	len = sizeof(VSAddr);
+ 	return getsockname(sock,(SAP)vsa,&len);
+ }
  extern int isUDPsock(int sock);
  int strfSocket(PVStr(desc),int size,PCStr(fmt),int sock){
  	CStr(tmp,1024);

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V