SNI support in SSL?
Niels dettenbach
nd at syndicat.com
Thu Jul 3 05:54:22 EDT 2014
Am 03.07.2014 11:39, schrieb Tomasz Chmielewski:
> Does Cyrus support SNI (Server Name Indication) is SSL?
>
> I couldn't find this info in Cyrus documentation.
from my last point of information cyrus doesn't provide SNI so far in
the meaning of virtual TLS hosting.
The only thing i find is:
--- snip ---
#if (OPENSSL_VERSION_NUMBER >= 0x0090806fL)
static int servername_callback(SSL *ssl, int *ad
__attribute__((unused)),
void *arg __attribute__((unused)))
{
const char *servername = SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name);
if (servername) {
syslog(LOG_DEBUG, "TLS Server Name Indication (SNI) Extension: \"%s\"",
servername);
}
return SSL_TLSEXT_ERR_OK;
}
#endif
--- snap ---
...seems to just check if the SNI TLS details from client are correct
(if the openssl is new enough to provide "SNI"). This doesn't need any
further configuration of cyrus.
SNI just makes sense if each client provides SNI too and this is afaik
not the case for - compared to i.e. http - many mail clients.
But i'm still open to learn anything new about this...
Best regards,
Niels.
---
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com
More information about the Info-cyrus
mailing list