Article delegate-en/4643 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4642@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: 2 https certificates running on the same delegate host.
17 Nov 2009 06:15:32 GMT Huirong Wang <pd4jabdyi-p5lznxlxzbxr.ml@ml.delegate.org>



Dear Yutaka,

 

I just tested it on our test platform, it's working! Thanks a lot. Before I apply it, can I ask you a question? Are you going to contain this specific patch in your future release or not? If not, then its maitenance will be a problem. That is to say, this is just a special version for our requirements only. It's hard to upgrade in the future.

 

Best Regards,

David
 
> To: feedback@delegate.org
> CC: pd4jabdyi-p5lznxlxzbxr.ml@ml.delegate.org
> Subject: Re: [DeleGate-En] 2 https certificates running on the same delegate host.
> From: feedback@delegate.org
> Date: Tue, 17 Nov 2009 11:20:08 +0900
> 
> Hi,
> 
> In message <_A4641@delegate-en.ML_> on 11/17/09(10:26:59)
> you Huirong Wang <pd4jabdyi-p5lznxlxzbxr.ml@ml.delegate.org> wrote:
> |As I know there is too much restriction with the browser for supporting SNI, it's not practical for our end user. 
> |
> |Before introducing certificates naming with the new version, Could I know the details of how to use the STLS parameter with "connMap" and "-cert" option to achieve it? which delegate version does it require?
> 
> Please read the reference manual if you are interested in it.
> I made the enclosed patch which enables selecting a certificate for
> each incoming network interface as follows:
> 
> DGROOT/etc/certs/sva.127.0.0.1.pem
> DGROOT/etc/certs/sva.192.168.1.1.pem
> ...
> 
> With the patch and certificates name as above, and with the TLSCONF="-vd"
> option, you will see the log as follows: 
> 
> 11/17 11:14:44.57 [12087] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
> 11/17 11:14:44.57 [12087] 1+1: ## SSLway start
> 11/17 11:14:44.57 [12087] 1+1: ## SSLway reuse ctx #2088594664 C0A220
> 11/17 11:14:44.57 [12087] 1+1: ## SSLway -- net-if cert [sva.127.0.0.1.pem] or [sva.127.0.0.1.pem]
> 11/17 11:14:44.57 [12087] 1+1: ## SSLway -- net-if cert found [.../delegate/etc/certs/sva.127.0.0.1.pem]
> 11/17 11:14:44.58 [12087] 1+1: ## SSLway certchain loaded: .../delegate/etc/certs/sva.127.0.0.1.pem
> 11/17 11:14:44.58 [12087] 1+1: ## SSLway keyfile loaded: .../delegate/etc/certs/sva.127.0.0.1.pem
> 
> 11/17 11:15:47.78 [12098] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
> 11/17 11:15:47.78 [12098] 1+1: ## SSLway start
> 11/17 11:15:47.78 [12098] 1+1: ## SSLway reuse ctx #2088594664 C0A110
> 11/17 11:15:47.78 [12098] 1+1: ## SSLway -- net-if cert [sva.192.168.1.1.pem] or [sva.192.168.1.1.pem]
> 11/17 11:15:47.78 [12098] 1+1: ## SSLway -- net-if cert found [.../delegate/etc/certs/sva.192.168.1.1.pem]
> 11/17 11:15:47.79 [12098] 1+1: ## SSLway certchain loaded: .../delegate/etc/certs/sva.192.168.1.1.pem
> 11/17 11:15:47.79 [12098] 1+1: ## SSLway keyfile loaded: .../delegate/etc/certs/sva.192.168.1.1.pem
> 
> 
> Cheers,
> Yutaka
> --
> 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
> ( ~ ) National Institute of Advanced Industrial Science and Technology
> _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
> 
> 
> diff -cr dist/src/delegate9.9.6-pre2/filters/sslway.c ./filters/sslway.c
> *** dist/src/delegate9.9.6-pre2/filters/sslway.c Fri Sep 11 04:38:20 2009
> --- ./filters/sslway.c Tue Nov 17 11:04:17 2009
> ***************
> *** 724,729 ****
> --- 724,731 ----
> static const char *CERTF_CLP = "to-cl.%s.pem"; /* to be shown to the client %s */
> static const char *CERTF_SNI = "sn.%s.pem"; /* SNI */
> static const char *CERTF_NIF = "if.%s.pem"; /* for the network interface */
> + static const char *CERTF_CLA = "cla.%s.pem"; /* for outgoing net-if */
> + static const char *CERTF_SVA = "sva.%s.pem"; /* for incoming net-if */
> 
> static const char *CERTF_SVCA = "ca-sv.pem";
> static const char *CERTD_SVCA = "ca-sv";
> ***************
> *** 1948,1953 ****
> --- 1950,1977 ----
> SSL_set_tlsext_host_name(conSSL,vhost);
> }
> }
> + int VSA_getsockname(int sock,VSAddr *vsa);
> + const char *VSA_ntoa(VSAddr *sap);
> + static void set_ifcert(SSL_CTX *ctx,int sock,int clnt){
> + const char *addr;
> + VSAddr vsa;
> + IStr(nif,256);
> + IStr(sva,256);
> + IStr(path,256);
> + 
> + if( VSA_getsockname(sock,&vsa) == 0 )
> + if( addr = VSA_ntoa(&vsa) ){
> + sprintf(nif,CERTF_NIF,addr);
> + sprintf(sva,CERTF_SVA,addr);
> + DEBUG("-- net-if cert [%s] or [%s]",sva,nif);
> + if( !clnt && findcert(sva,AVStr(path),0)
> + || findcert(nif,AVStr(path),0)
> + ){
> + DEBUG("-- net-if cert found [%s]",path);
> + setcert1(ctx,path,path,clnt);
> + }
> + }
> + }
> static int ssl_dfltCAs(SSL_CTX *ctx,int clnt){
> IStr(file,1024);
> IStr(cdir,1024);
> ***************
> *** 3338,3343 ****
> --- 3362,3368 ----
> }
> 
> if( 0 <= accfd ){
> + set_ifcert(ctx,accfd,0);
> SSL_CTX_set_tlsext_servername_callback(ctx,get_vhost);
> accSSL = ssl_acc(ctx,accfd);
> if( accSSL == NULL )
> diff -cr dist/src/delegate9.9.6-pre2/rary/vsaddr.c ./rary/vsaddr.c
> *** dist/src/delegate9.9.6-pre2/rary/vsaddr.c Sun Sep 6 17:23:12 2009
> --- ./rary/vsaddr.c Tue Nov 17 10:22:34 2009
> ***************
> *** 99,104 ****
> --- 99,109 ----
> return 1;
> return 0;
> }
> + int VSA_getsockname(int sock,VSAddr *vsa){
> + int len;
> + len = sizeof(VSAddr);
> + return getsockname(sock,(SAP)vsa,&len);
> + }
> extern int isUDPsock(int sock);
> int strfSocket(PVStr(desc),int size,PCStr(fmt),int sock){
> CStr(tmp,1024);
 		 	   		  
_________________________________________________________________
Download new and classic emoticon packs at Emoticon World Brought to you exclusively by Windows Live
http://windowslive.ninemsn.com.au/emoticon.aspx?

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V