[PATCH] Support TLS+SNI and virtual domains

Ken Murchison murch at andrew.cmu.edu
Wed May 27 09:18:51 EDT 2015


Thanks for the patch.  I have created a task for this feature and 
attached you patch (differential): https://git.cyrus.foundation/T190

On 05/27/2015 06:24 AM, Hampa Hug wrote:
> Hampa Hug wrote:
>> It seems that imapd does not support virtual domains over a
>> single TLS connection. Specifically, if imapd is configured
>> for multiple virtual domains, but listens only on a single
>> IP/port, all clients for all but one virtual domain will get
>> the wrong TLS certificate.
>> The attached patch allows imapd to send the correct
>> certificate if the client supports the SNI (Server Name
>> Indication) extension to TLS. To implement this, two new
>> config file options "tls_server_cert_dir" and
>> "tls_server_key_dir" are added. When a client connects and
>> supplies a server name, imapd looks for a certificate and a
>> private key in <tls_server_cert_dir>/<servername>.pem and
>> <tls_server_key_dir>/<servername>.pem, respectively. If it
>> finds a certificate, it uses that instead of the default
>> certificate.
>> The patch has been briefly tested with Mozilla Thunderbird as
>> a client and seems to work.
>> Comments?
> Ping
> cheers,
> Hampa

Kenneth Murchison
Principal Systems Software Engineer
Carnegie Mellon University

More information about the Cyrus-devel mailing list