[PATCH] Support TLS+SNI and virtual domains
Ken Murchison
murch at andrew.cmu.edu
Wed May 27 09:18:51 EDT 2015
Hampa,
Thanks for the patch. I have created a task for this feature and
attached you patch (differential): https://git.cyrus.foundation/T190
On 05/27/2015 06:24 AM, Hampa Hug wrote:
> Hampa Hug wrote:
>
>> It seems that imapd does not support virtual domains over a
>> single TLS connection. Specifically, if imapd is configured
>> for multiple virtual domains, but listens only on a single
>> IP/port, all clients for all but one virtual domain will get
>> the wrong TLS certificate.
>>
>> The attached patch allows imapd to send the correct
>> certificate if the client supports the SNI (Server Name
>> Indication) extension to TLS. To implement this, two new
>> config file options "tls_server_cert_dir" and
>> "tls_server_key_dir" are added. When a client connects and
>> supplies a server name, imapd looks for a certificate and a
>> private key in <tls_server_cert_dir>/<servername>.pem and
>> <tls_server_key_dir>/<servername>.pem, respectively. If it
>> finds a certificate, it uses that instead of the default
>> certificate.
>>
>> The patch has been briefly tested with Mozilla Thunderbird as
>> a client and seems to work.
>>
>> Comments?
> Ping
>
> cheers,
> Hampa
--
Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University
More information about the Cyrus-devel
mailing list