SNI support in SSL?

Thu Jul 3 06:36:28 EDT 2014

Hi,

yes, from the code you've pasted, I see it is able to distinguish the 
server name.
And indeed it works:

openssl s_client -connect some-server:143 -starttls imap -servername 
some-domain

Makes cyrus log:

TLS Server Name Indication (SNI) Extension: "some-domain"

So in a way, Cyrus is able to use SNI.

However, I don't see a way to set Cyrus to listen on one IP, but to be 
able to serve different certificates.

-- 
Tomasz Chmielewski
http://www.sslrack.com

On 2014-07-03 11:54, Niels dettenbach wrote:
> Am 03.07.2014 11:39, schrieb Tomasz Chmielewski:
>> Does Cyrus support SNI (Server Name Indication) is SSL?
>> 
>> I couldn't find this info in Cyrus documentation.
> 
> 
> from my last point of information cyrus doesn't provide SNI so far in
> the meaning of virtual TLS hosting.
> 
> The only thing i find is:
> 
> --- snip ---
> #if (OPENSSL_VERSION_NUMBER >= 0x0090806fL)
> static int servername_callback(SSL *ssl, int *ad
> __attribute__((unused)),
> void *arg __attribute__((unused)))
> {
>      const char *servername = SSL_get_servername(ssl,
> TLSEXT_NAMETYPE_host_name);
> 
>      if (servername) {
> syslog(LOG_DEBUG, "TLS Server Name Indication (SNI) Extension: \"%s\"",
> servername);
>      }
> 
>      return SSL_TLSEXT_ERR_OK;
> }
> #endif
> --- snap ---
> 
> ...seems to just check if the SNI TLS details from client are correct
> (if the openssl is new enough to provide "SNI"). This doesn't need any
> further configuration of cyrus.
> 
> SNI just makes sense if each client provides SNI too and this is afaik
> not the case for - compared to i.e. http - many mail clients.
> 
> But i'm still open to learn anything new about this...
> 
> 
> Best regards,
> 
> Niels.
> ---
> Niels Dettenbach
> Syndicat IT&Internet
> http://www.syndicat.com
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus