[PATCH] Support TLS+SNI and virtual domains

Hampa Hug apmah at gmx.net
Fri May 15 07:02:27 EDT 2015


It seems that imapd does not support virtual domains over a
single TLS connection. Specifically, if imapd is configured for
multiple virtual domains, but listens only on a single IP/port,
all clients for all but one virtual domain will get the wrong
TLS certificate.

The attached patch allows imapd to send the correct certificate
if the client supports the SNI (Server Name Indication)
extension to TLS. To implement this, two new config file
options "tls_server_cert_dir" and "tls_server_key_dir" are
added. When a client connects and supplies a server name, imapd
looks for a certificate and a private key in
<tls_server_cert_dir>/<servername>.pem and
<tls_server_key_dir>/<servername>.pem, respectively. If it
finds a certificate, it uses that instead of the default

The patch has been briefly tested with Mozilla Thunderbird as a
client and seems to work.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: imapd-tls-sni.diff
Type: application/x-diff
Size: 2981 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20150515/8ddbf297/attachment.bin 

More information about the Cyrus-devel mailing list