[PATCH] Support TLS+SNI and virtual domains

Hampa Hug apmah at gmx.net
Wed May 27 06:24:00 EDT 2015


Hampa Hug wrote:

> It seems that imapd does not support virtual domains over a
> single TLS connection. Specifically, if imapd is configured
> for multiple virtual domains, but listens only on a single
> IP/port, all clients for all but one virtual domain will get
> the wrong TLS certificate.
> 
> The attached patch allows imapd to send the correct
> certificate if the client supports the SNI (Server Name
> Indication) extension to TLS. To implement this, two new
> config file options "tls_server_cert_dir" and
> "tls_server_key_dir" are added. When a client connects and
> supplies a server name, imapd looks for a certificate and a
> private key in <tls_server_cert_dir>/<servername>.pem and
> <tls_server_key_dir>/<servername>.pem, respectively. If it
> finds a certificate, it uses that instead of the default
> certificate.
> 
> The patch has been briefly tested with Mozilla Thunderbird as
> a client and seems to work.
> 
> Comments?

Ping

cheers,
Hampa


More information about the Cyrus-devel mailing list