[PATCH] Support TLS+SNI and virtual domains
Hampa Hug
apmah at gmx.net
Fri May 15 07:02:27 EDT 2015
Hi
It seems that imapd does not support virtual domains over a
single TLS connection. Specifically, if imapd is configured for
multiple virtual domains, but listens only on a single IP/port,
all clients for all but one virtual domain will get the wrong
TLS certificate.
The attached patch allows imapd to send the correct certificate
if the client supports the SNI (Server Name Indication)
extension to TLS. To implement this, two new config file
options "tls_server_cert_dir" and "tls_server_key_dir" are
added. When a client connects and supplies a server name, imapd
looks for a certificate and a private key in
<tls_server_cert_dir>/<servername>.pem and
<tls_server_key_dir>/<servername>.pem, respectively. If it
finds a certificate, it uses that instead of the default
certificate.
The patch has been briefly tested with Mozilla Thunderbird as a
client and seems to work.
Comments?
cheers,
Hampa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: imapd-tls-sni.diff
Type: application/x-diff
Size: 2981 bytes
Desc: not available
Url : http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20150515/8ddbf297/attachment.bin
More information about the Cyrus-devel
mailing list