search

tatsuhiro-t / spdylay

The experimental SPDY protocol version 2, 3 and 3.1 implementation in C
http://tatsuhiro-t.github.io/spdylay/
MIT License
602 stars 103 forks source link

Multiple SSL Certificate for shrpx #51

Closed n0wa11 closed 11 years ago

n0wa11 commented 11 years ago

Is there a way to support multiple domain names and multiple SSL certificate?

tatsuhiro-t commented 11 years ago

Do you mean multiple non-wildcard certificates?

n0wa11 commented 11 years ago

Could be completely different domain names. For example, abc.com and xyz.com.

n0wa11 commented 11 years ago

Here is a use case in Apache.

http://serverfault.com/questions/81424/multiple-ssl-certificate-on-apache

tatsuhiro-t commented 11 years ago

Currently shrpx only supports single certificate. To implement this, I think if client uses SNI to indicate server hostname, do the domain match in certificate list and switches to the right SSL context. Stud does this too.

n0wa11 commented 11 years ago

SNI: I believe so.

tatsuhiro-t commented 11 years ago

Work in progress.

n0wa11 commented 11 years ago

Appreciate it very much.

If I install dozen or even hundreds of certificates, it shouldn't be much a performance drag, right? It is just a simple look-up.

tatsuhiro-t commented 11 years ago

For just simple matching, it is not a problem. For wildcard certs, they need additional computation to look up, but we can limit those wildcard certs to match, so I think it will be fine.

n0wa11 commented 11 years ago

Do you mean to enumerate the sub-domains under the wildcard certificate?

For a *.abc.com certificate, the server side knew all the sub-domains already. For example,

x.abc.com y.abc.com z.abc.com

Sorry to ask. Do you have an ETA for the feature, so that I can plan my deployment procedure?

tatsuhiro-t commented 11 years ago

Yes. If server has certificate with wildcard subjectAltName *.abc.com and client indicates x.abc.com as server name in SNI, x.abc.com matches *.abc.com and server chooses its certificate. Wildcard certificate is useful, but it is a little bit controversial how to match *. Shrpx uses rules based on https://tools.ietf.org/html/rfc6125#section-6.4.3

The lookup part has been done, integration and testing are remaining. It does not take long, but I can not say exact date. If all went well, I can publish these changes in 3 or 4 days.

tatsuhiro-t commented 11 years ago

Integrating work has been done much faster than I imagined. I pushed the changes to the repo. See --subcert option how to add additional certs.

n0wa11 commented 11 years ago

Thanks very much.

How do I let shrpx know the hostname associated with the key and certificate?

"    --subcert=<KEYPATH>:<CERTPATH>\n"
"                       Specify additional certificate and private\n"
"                       key file. Shrpx will choose certificates\n"
"                       based on the hostname indicated by client\n"
"                       using TLS SNI extension. This option can be\n"
"                       used multiple times.\n"

In Apache, there is the ServerName directive.

http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

tatsuhiro-t commented 11 years ago

Shrpx reads certificate and finds hostnames from there. Currently it searches DNS name in subjectAltNames and commonName.

tatsuhiro-t commented 11 years ago

Did it work for you?

n0wa11 commented 11 years ago

Please give me another day. Caught up in other things.

n0wa11 commented 11 years ago

Yes. It worked, although I haven't got a chance to use a commercial certificate. But I assume it won't be a problem. Thanks very much.