SecurityContext (HttpServer.bindSecure) with multiple hosts.

[isoos]

I couldn't find any example, test or documentation on how to create a https server with multiple hostnames (separate certificates for each hosts). Is is supported?

[mit-mit]

cc @jonasfj @sortie

[jonasfj]

Maybe if you concatenate the certificates.... You can certainly do multiple hostnames in a single certificate. Regardless, I think this is a pretty advanced feature.

---

But really, I would recommend terminating TLS before you hit your Dart server.

[gmpassos]

Any example in how to do build a SecurityContext with multiple domains?

Or how to concatenate the certificates? I tried some variations here, but I can't make it work.

[isoos]

Also, relevant and useful package on pub.dev, with @gmpassos as the author, which could really use this multi-host binding: https://pub.dev/packages/shelf_letsencrypt

[gmpassos]

To generate a PKCS12 with multiple domains certificates generated with the same key pair (same private key) and with the password xyz:

openssl pkcs12 -export \
-inkey /path/to/privkey.pem \
-in /path/to/domain1.com/fullchain.pem -name domain1.com \
-certfile /path/to/domain2.com/fullchain.pem -name domain2.com \
-out /path/to/keystore-multi.pfx -passout pass:xyz

To generate aPKCS12 with multiple domains certificates WITHOUT add a private key and with the password xyz:

openssl pkcs12 -export \
-nokeys \
-in /path/to/domain1.com/fullchain.pem -name domain1.com \
-certfile /path/to/domain2.com/fullchain.pem -name domain2.com  \
-out /path/to/keystore-multi.pfx -passout pass:xyz

The Dart code to load this:

var password = 'xyz';
var fullchainFile = '/path/to/keystore-multi.pfx';
var privateKeyFile = '/path/to/privkey.pem';

var sc = SecurityContext()
  ..useCertificateChain(fullchainFile, password: password)
  ..usePrivateKey(privateKeyFile, password: password);

Note that if you use a private key that won't match the certificates you will get an exception while loading the them.

The only way that I was able to load multiple certificates was using multiple domains certificates generated with the same private key (yes this is allowed).

But this is still not enough, since the SecurityContext will always respond with the 1st domain in the PKCS12 file! So the HTTPS request will work only for the 1st domain in the PKCS12 file.

It seems that the Dart implementation is not looking for the correct certificate subject (subject=CN = domainX.com).

[gmpassos]

FYI:

https://github.com/dart-lang/sdk/blob/e995cb5f7cd67d39c1ee4bdbe95c8241db36725f/runtime/bin/security_context.cc#L538

[gmpassos]

FYI:

https://github.com/dart-lang/sdk/blob/e995cb5f7cd67d39c1ee4bdbe95c8241db36725f/runtime/bin/secure_socket_filter.cc#L614

[gmpassos]

@mit-mit @kevmoo We need a task force for this issue. This is very important.

[kevmoo]

FYI @brianquinlan

[gmpassos]

Any update on the issue?

[kevmoo]

@brianquinlan ?

[gmpassos]

How can I help to push this issue?

[gmpassos]

Hi, any improvement?

It's all about the selection of the correct certificate (server side) for the requested URL/domain.

[gmpassos]

?

[gmpassos]

How can I help to push this issue?

[marcobraghim]

Up. Please, this is extremely important!!

[Martoxdlol]

I'm interested in this too

[gmpassos]

FYI: @kevmoo @brianquinlan

I’ve published a pure Dart solution for this issue:

https://github.com/gmpassos/multi_domain_secure_server

Additionally, there’s an example demonstrating its use with shelf:

https://github.com/gmpassos/multi_domain_secure_server/tree/master/example/shelf_example

Any feedback would be greatly appreciated!

Best regards,

[isoos]

@gmpassos Thank you, this looks interesting and useful! I shall try it out in the coming weeks.